Page 1 of 1

LAMP Firewall Configuration

Posted: Wed Jun 06, 2007 10:09 am
by Ollie Saunders
I want to run a firewall on my LAMP server. I'm using Ubuntu 6.10 server. Previously I used firehol to achieve this but the new version of the kernel I'm using doesn't seem to be compatible. So I went to try ipkungfu instead and that didn't work saying "my kernel doesn't support LOGS". So basically I'm going to need to play around with iptables myself. I've been reading up on TCP/IP in order to learn how to do this but, well, it's really not very much fun. So
  • Does anybody have a bunch of iptables commands I can use to set up a basic firewall to block all requests except certain ones (I don't need anything complex like forwarding)?
  • Can anybody point me to some good iptables tutorials? I've not been able to find anything of any quality or use
  • or alternatively, does anybody have any other solutions to my predicament.
Thanks

Posted: Sat Jun 09, 2007 9:05 am
by Ollie Saunders
OK, I had a better response on another forum and was able to start with iptables by using this nd this tutorial. I've stuck all this in a text file

Code: Select all

  1 # server
  2         iptables -F # flush : clear all rules
  3         # policies
  4         iptables -P input DROP
  5         iptables -P output ACCEPT
  6         iptables -P forward ACCEPT # change this to drop later
  7 
  8         # localhost
  9                 iptables -A input -i lo -j ACCEPT
 10         # http  
 11                 iptables -A INPUT -p udp -m -s 0/0 --dport 80 -j ACCEPT
 12                 iptables -A INPUT -p udp -m -s 0/0 --dport 80 -f -j ACCEPT
 13                 iptables -A INPUT -p tcp -m -s 0/0 --dport 80 -j ACCEPT
 14                 iptables -A INPUT -p tcp -m -s 0/0 --dport 80 -f -j ACCEPT
 15         # ssh (yes that is the correct port number I changed it for my purposes)
 16                 iptables -A INPUT -p tcp -m -s 0/0 --dport 7645 -j ACCEPT
 17                 iptables -A INPUT -p tcp -m -s 0/0 --dport 7645 -j -f ACCEPT
 18         # svn   
 19                 iptables -A INPUT -p tcp -m -s 0/0 --dport 3690 -j ACCEPT
 20                 iptables -A INPUT -p tcp -m -s 0/0 --dport 3690 -j -f ACCEPT
 21 
(line numbers generated by vim). But I'm not sure I've got this right, so I'd really like someone just to give it a look over. Some questions:
  • The sitepoint tutorial said I should specify the --syn flag to only allow new connections but then surely I can only accept new connections and never actually continue existing ones.
  • is -s 0/0 necessary on all the lines?
  • Could someone explain fragments a bit more, what rules should I have for these? Currently I'm allowing them through if they match certain destination ports, but how is that possible if they don't have the TCP headers. Apparently your server can be crashed by sending fragments on their own.
  • Should I protect myself from SYN flooding? How do I do this?

Posted: Wed Jun 13, 2007 5:58 pm
by redmonkey
ole wrote:
  • The sitepoint tutorial said I should specify the --syn flag to only allow new connections but then surely I can only accept new connections and never actually continue existing ones.
Correct, you would need to add another rule to handle traffic from established connections.
ole wrote:
  • is -s 0/0 necessary on all the lines?
Not sure, I would imagine if no source IP is specified then it probably defaults to any IP (equivalent to 0/0). Suck it and see I suppose, but unless you have physical access to the machine, it might not be something you want to be experimenting with.
ole wrote:
  • Could someone explain fragments a bit more, what rules should I have for these? Currently I'm allowing them through if they match certain destination ports, but how is that possible if they don't have the TCP headers. Apparently your server can be crashed by sending fragments on their own.
You don't specify any type of protocol when filtering/dealing with fragments, you just define rules to drop or accept them. The first fragment is treated like any other packet, the rest (if you accept them) just flow straight through. Or at least that's my understanding of how it works. It's not really something I've looked to deeply into, I generally don't accept fragments unless I know for certain the machine will be dealing/expecting them.
ole wrote:
  • Should I protect myself from SYN flooding? How do I do this?
Personally, I'd say yes. I'd suggest a web search on 'iptables and syncookies' which will probably lead to some better explanations than I could offer.

I noticed you have added rules for UDP connections on port 80 for HTTP, I'm not aware of any HTTP traffic that comes in via UDP. As far as I'm aware, HTTP uses the TCP protocol only.

Lastly, I posted this bash script for setting up a basic firewall on linux machines. The script has some notes within which might help you. Note, I had one user tell me they had problems with the SSH connection throttling, I haven't really looked at the problem as yet so use with caution.