Blog

Ask Some Geeks

Hot Topics

Post Archive

Securing a Linux server with Iptables

You can save and restore your iptable rules by using the iptables-save and iptables-restore commands. An example of an iptables-save file is below, and as you see it allows access to http (port 80), https (port 443), smtp and pop3 (ports 110 and 25), ftp (port 21), dns (port 53), mysql (port 3306), ssh (port 22), plesk (port 8443), and a few others. It also allows traffic through ports 51000 through 51010. This is because ProFTPd is configured to forward established connections to these ports; Otherwise, it’ll use any high port and you won’t be able to lock anything down.

# Generated by iptables-save v1.2.7a on Fri Oct 15 18:04:43 2004
*filter
:INPUT ACCEPT [6496247:1563147047]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10757411:8360947636]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 443 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –sport 443 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 8443 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 110 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp –dport 110 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 25 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp –dport 25 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 21 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp –dport 21 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 20 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp –dport 20 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 3306 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp –dport 3306 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 53 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp –dport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp –sport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51000 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51001 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51002 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51003 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51004 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51005 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51006 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51007 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51008 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51009 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51010 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 22 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 80 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 217.160.242.226 -p udp -m udp –dport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 217.160.242.226 -p udp -m udp –sport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 217.160.243.251 -p udp -m udp –sport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 195.20.224.99 -p udp -m udp –sport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 195.20.224.234 -p udp -m udp –sport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –tcp-flags SYN,RST,ACK SYN -j REJECT –reject-with icmp-port-unreachable
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT –reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Oct 15 18:04:43 2004

Here is an example of a cronjob that restores the Iptables rules. I added the cronjob to ensure that IPtables was always loaded with the correct rules. This was on a dev box and we were messing with a lot of ports at the time so we wanted to make sure that it was reset periodically. It also helps for when the box was rebooted to make sure the rules were loaded. Of course, a better way to do that would be to modify the startup scripts. Also, you can put the firewall.txt file where ever you want. It doesn’t need to be in root’s home directory.

### Restore Iptables Rules
5 7,14,21 * * * /sbin/iptables-restore -c < /root/firewall.txt

And finally, to set up the ftp server to only use the specified ports, configure /etc/proftpd.conf and add this line:

PassivePorts 51000 51010

The actual ports could be any unused high port, so keep that in mind. It can also be more than 10 ports (which essentially would allow 10 concurrent connections). Whatever you do, you’ll need to make sure the iptable rules allow the ports you’re expecting FTP to transfer data on.

Darren linux | security | iptables

Displaying 1 post

Online Information for Geeks

no show

Blog

Hot Topics

Post Archive

Tags

Securing a Linux server with Iptables

Online Information for Geeks

Resource Links