- Does anybody have a bunch of iptables commands I can use to set up a basic firewall to block all requests except certain ones (I don't need anything complex like forwarding)?
- Can anybody point me to some good iptables tutorials? I've not been able to find anything of any quality or use
- or alternatively, does anybody have any other solutions to my predicament.
LAMP Firewall Configuration
Moderator: General Moderators
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
LAMP Firewall Configuration
I want to run a firewall on my LAMP server. I'm using Ubuntu 6.10 server. Previously I used firehol to achieve this but the new version of the kernel I'm using doesn't seem to be compatible. So I went to try ipkungfu instead and that didn't work saying "my kernel doesn't support LOGS". So basically I'm going to need to play around with iptables myself. I've been reading up on TCP/IP in order to learn how to do this but, well, it's really not very much fun. So
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
OK, I had a better response on another forum and was able to start with iptables by using this nd this tutorial. I've stuck all this in a text file(line numbers generated by vim). But I'm not sure I've got this right, so I'd really like someone just to give it a look over. Some questions:
Code: Select all
1 # server
2 iptables -F # flush : clear all rules
3 # policies
4 iptables -P input DROP
5 iptables -P output ACCEPT
6 iptables -P forward ACCEPT # change this to drop later
7
8 # localhost
9 iptables -A input -i lo -j ACCEPT
10 # http
11 iptables -A INPUT -p udp -m -s 0/0 --dport 80 -j ACCEPT
12 iptables -A INPUT -p udp -m -s 0/0 --dport 80 -f -j ACCEPT
13 iptables -A INPUT -p tcp -m -s 0/0 --dport 80 -j ACCEPT
14 iptables -A INPUT -p tcp -m -s 0/0 --dport 80 -f -j ACCEPT
15 # ssh (yes that is the correct port number I changed it for my purposes)
16 iptables -A INPUT -p tcp -m -s 0/0 --dport 7645 -j ACCEPT
17 iptables -A INPUT -p tcp -m -s 0/0 --dport 7645 -j -f ACCEPT
18 # svn
19 iptables -A INPUT -p tcp -m -s 0/0 --dport 3690 -j ACCEPT
20 iptables -A INPUT -p tcp -m -s 0/0 --dport 3690 -j -f ACCEPT
21
- The sitepoint tutorial said I should specify the --syn flag to only allow new connections but then surely I can only accept new connections and never actually continue existing ones.
- is -s 0/0 necessary on all the lines?
- Could someone explain fragments a bit more, what rules should I have for these? Currently I'm allowing them through if they match certain destination ports, but how is that possible if they don't have the TCP headers. Apparently your server can be crashed by sending fragments on their own.
- Should I protect myself from SYN flooding? How do I do this?
Correct, you would need to add another rule to handle traffic from established connections.ole wrote:
- The sitepoint tutorial said I should specify the --syn flag to only allow new connections but then surely I can only accept new connections and never actually continue existing ones.
Not sure, I would imagine if no source IP is specified then it probably defaults to any IP (equivalent to 0/0). Suck it and see I suppose, but unless you have physical access to the machine, it might not be something you want to be experimenting with.ole wrote:
- is -s 0/0 necessary on all the lines?
You don't specify any type of protocol when filtering/dealing with fragments, you just define rules to drop or accept them. The first fragment is treated like any other packet, the rest (if you accept them) just flow straight through. Or at least that's my understanding of how it works. It's not really something I've looked to deeply into, I generally don't accept fragments unless I know for certain the machine will be dealing/expecting them.ole wrote:
- Could someone explain fragments a bit more, what rules should I have for these? Currently I'm allowing them through if they match certain destination ports, but how is that possible if they don't have the TCP headers. Apparently your server can be crashed by sending fragments on their own.
Personally, I'd say yes. I'd suggest a web search on 'iptables and syncookies' which will probably lead to some better explanations than I could offer.ole wrote:
- Should I protect myself from SYN flooding? How do I do this?
I noticed you have added rules for UDP connections on port 80 for HTTP, I'm not aware of any HTTP traffic that comes in via UDP. As far as I'm aware, HTTP uses the TCP protocol only.
Lastly, I posted this bash script for setting up a basic firewall on linux machines. The script has some notes within which might help you. Note, I had one user tell me they had problems with the SSH connection throttling, I haven't really looked at the problem as yet so use with caution.