iptables question about loop back

[bowlesj]

Hi, I am about to run a script to install a very basic firewall. The full script is in the code below with comments (the basic criteria is near the top). I am a bit uncertain about this command.
"iptables -A INPUT -i lo -j ACCEPT"
On place I was reading it is needed for loop back. Initially I thought this meant that Putty and WinSCP (which I am using) may be using it to check the signals they are sending. I understood this until I read that this command is for local host only. It went on to say "Suppose we have 2 separate interfaces, eth0 which is our internal LAN connection and ppp0 dialup modem (or maybe eth1 for a nic) which is our external internet connection. We may want to allow all incoming packets on our internal LAN but still filter incoming packets on our external internet connection. We could do this as follows:"
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT

then it went on to say "But be very careful - if we were to allow all packets for our external internet interface (for example, ppp0 dialup modem):"
iptables -A INPUT -i ppp0 -j ACCEPT
we would have effectively just disabled our firewall!

So from the above am I correct in assuming I should be using this (comments after the commands are my assumptions - or guesses). The confusion is one says it is for loop back yet the last statement says it could disable the firewall (implying that I would be thinking I have a firewall but I in fact do not).
iptables -A INPUT -i lo -j ACCEPT #loop back for local host just in case the host provider wants to communicate with my VPS across their intranet
iptables -A INPUT -i eth1 -j ACCEPT #loop back for any internet connections coming from a computer using a nic card.

Thanks,
John

If I ran the script below and it stopped any functions I was planning on running these two commands to clear it so everything works again.
iptables -P INPUT ACCEPT
iptables -F

Code: Select all

#!/bin/bash
#
# MyFireWall script
#
# Basic Website Criteria: 
#     PHP, MySql, Apache driven web pages with file down load and upload.
#     FTP is turned off and everything is working fine
#     Putty and WinSCP is used.
#     No incoming mail. Only outgoing mail with Postfix
#
# Created with http://wiki.centos.org/HowTos/Network/IPTables
# Created with http://articles.slicehost.com/assets/2007/9/4/iptables.txt
# created with https://help.ubuntu.com/community/IptablesHowTo
#
#
#If connecting remotely we must first temporarily set the default policy on the INPUT chain to ACCEPT otherwise once we flush the current rules we will be locked out of our server.
 iptables -P INPUT ACCEPT
#
#
# Flush all current rules from iptables - We used the -F switch to flush all existing rules so we start with a clean state from which to add new rules.
 iptables -F
#
#
# Set access for localhost
# use the -i switch (for interface) to specify packets matching or destined for the lo (localhost, 127.0.0.1) interface and finally
# So this rule will allow all incoming packets destined for the localhost interface to be accepted.
# This is generally required as many software applications expect to be able to communicate with the localhost adaptor.
#  Allows all loopback (lo0) traffic
 iptables -A INPUT -i lo -j ACCEPT
#
#
# Accept packets belonging to established and related connections
# we are adding (-A) it to the INPUT chain. 
# Here we're using the -m switch to load a module (state).
# The state module is able to examine the state of a packet and determine if it is NEW, ESTABLISHED or RELATED. 
# NEW refers to incoming packets that are new incoming connections that weren't initiated by the host system. 
# ESTABLISHED and RELATED refers to incoming packets that are part of an already established connection or related to and already established connection.
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
#
# Here we add a rule allowing SSH connections over tcp port 22. - By default SSH uses port 22 and again uses the tcp protocol.
# So if we want to allow remote logins, we would need to allow tcp connections on port 22 Putty
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#
#
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
 iptables -A INPUT -p tcp --dport 80 -j ACCEPT
 iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#
#
# Allow ping
 iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#
#
# log iptables denied calls
 iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
# The -P switch sets the default policy on the specified chain. 
# So now we can set the default policy on the INPUT chain to DROP. 
# This means that if an incoming packet does not match one of the following rules it will be dropped.
# If we were connecting remotely via SSH and had not added the rule above, we would have just locked ourself out of the system at this point.
 iptables -P INPUT DROP
#
#
# set the default policy on the FORWARD chain to DROP as we're not using our computer as a router so there should not be any packets passing through our computer.
 iptables -P FORWARD DROP
#
#
# Set the default policy on the OUTPUT chain to ACCEPT as we want to allow all outgoing traffic (as we trust our users).
 iptables -P OUTPUT ACCEPT
#
#
# Save settings - the last thing we need to do is save our rules so that next time we reboot our computer our rules are automatically reloaded:
# This executes the iptables init script, which runs /sbin/iptables-save and writes the current iptables configuration to /etc/sysconfig/iptables.
# Upon reboot, the iptables init script reapplies the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command.
 /sbin/service iptables save
#
#
# List rules - we can list (-L) the rules we've just added to check they've been loaded correctly. -v means verbose
 iptables -L -v

[Celauran]

Close port 22, have sshd listen on some other port. Doesn't accomplish much, but your log files will thank you.

[bowlesj]

Thanks Celauran. John.

[Celauran]

While we're on the topic of modifying sshd configurations, I'd strongly recommend disabling password authentication (use RSA keys instead) and disallowing root logins.

[bowlesj]

Yes, I have these on my list (a list of 87 items to do - LOL - not too big). I have huge passwords for now (22 characters and 25 characters) both of which I have memorized with upper and lower case and numbers. I also want to put in a time-limit on the passwords or maybe it is a try limit (5 tries is easily safe enough with my huge passwords). I need to get back to that one as well. There is nothing to steal on my database except passwords but I warn users not to use financial passwords. I gather the main threat is people trying to use my VSP to send their spam email out (a free email server using my bandwidth). I shut down FTP that is on the list and I finally did it. The slow down is I have to learn each thing one at a time. Long passwords was easy. So I am trying to pick off one thing a day of the 87 items. So in 87 days maybe I will have the most secure VPS on the web :-; Probably not but it will be a lot better than it is now. I gather https is expensive. I won't bother with that one.

[Celauran]

There is nothing to steal on my database except passwords

That's potentially a big problem. There should not be passwords in your database. Password hashes, sure, but not actual passwords.

[bowlesj]

Sorry, I forgot to mention that the passwords are hashed.

Regarding the loopback question I found the link that mentioned it. It was he one you recommended I read (the first one I read). I copied the text below.
https://help.ubuntu.com/community/IptablesHowTo

The only problem with our setup so far is that even the loopback port is blocked. We could have written the drop rule for just eth0 by specifying -i eth0, but we could also add a rule for the loopback. If we append this rule, it will come too late - after all the traffic has been dropped. We need to insert this rule before that. Since this is a lot of traffic, we'll insert it as the first rule so it's processed first.

This command is still in as is (shown above) and everything seems to be working fine.
iptables -A INPUT -i lo -j ACCEPT

[bowlesj]

On second thought lets delete the last post. I was thinking there are a few ways or variants to do all this (maybe all are good).

The keys idea is probably one of the easiest and most secure. I am not clear on everything yet so I can't do it until a few days pass. No one has explained how you log in with it.

Using a macro program to log in is a help. It executes macros in windows. I just tested it and it can be programmed to execute Putty then send key strokes to log you in and give you a beep sound once you are logged in. So you can set the largest possible length of random password and logging in is a simple shortcut key operation done perfectly every time. It took me 45 minutes to get it to work only because I was having trouble doing a load which would set the background colour of the Unix screen to white. Setting The Macro Program to log min in to WinSCP took about 5 minutes.

Setting up a special regular user for login is better than root login. The Macro Program would help because you could create a very ling random user ID and a very long random password and still log in perfectly every single time.

Fail2Ban is a good idea. I tried setting it to block the IP address for 24 hours. However it does not seem to work. Some Bots come back after 3 hours and try again but get kicked out on the first fail. I discovered today you an set it to ban permanently (see below).

This idea can basically be done with fail2ban (see below). This idea may be good too but a lot of work up front. In the past I was really good with bash, sed and awk. I was good enough that I probably could write a script to read the iptables file and the /var/log/secure file and create a new iptable file that had all the IP addresses to block with no duplication of IP addresses (skipping my ip address of course). I am assuming there is no limit to the number I can put in. I could have cron run this script maybe once a month. Eventually it would have all IP addresses of all brute force hacker attempts that failed with maybe only a few additions a month after that (if that). Unfortunately it would take me a few months to get all these skills back - LOL. Yeah, I use to spend 3 hours a day 7 days a week perfecting these skills for a few years there. I was a bit obsessed with shell scripting I think. I don't plan on doing this again.

I was reading about rolling the log file to keep it small. It could probably be set up to coordinate with the above mentioned script. Unfortunately I don't know how to do it yet.

Updates:
I plan on doing as much as I can on my list to increase security but here is what I have done with fail2ban.
**I set the bandtime = -1. This bans the IP address permanently until you restart fail2ban.
**I set the ignoreip = parameter to ignore my public IP (I tested with a 1 minute bantime and it works).
**I also I added the main ip from my windows ipconfig screen to "ignoreip =" just to feel safe since I am not an expert.
**I will check my public IP has not changed each morning using google search "what is my ip address". If it has I will know to add the new one to my list in "ignoreip ="
**I also am using the Macro Program to log in now and it basically never messes up the login regardless of how long it is so I am not concerned.
**To avoid a large IP list I decided not to use the special programming from this page http://www.looke.ch/wp/list-based-perma ... h-fail2ban
This programming allows you to maintain the list across restarts of fail2ban. It was modified to remove duplicate ip addresses.
The reason is I already have a very large password and may increase it when I shut off root login probably this week. This link says max password size is unlimited?
http://superuser.com/questions/148971/w ... nux-system
So for now things are better. The brute force login attempts has clearly dropped from 27 per hour when I first put fail2ban in down to about 1 or 2 per hour (major drop).
I don't know what it was before fail2ban. I cleared the btmp file and the secure file in /var/log since they were huge (need to learn to roll the logs).