iptables rules

Support for security such as Firewalls and securing linux
Post Reply
johnyp14
Posts: 4
Joined: 2019/05/05 14:28:39

iptables rules

Post by johnyp14 » 2019/05/05 14:35:32

Hello, i am new to linux without much expirence.
I have a vps centos 6 and made some iptable rules but can not work out how to drop every output traffic, and log it, except those that has been initiated from an input allow rule.

here is what i wrote so far:
iptables -A INPUT -s 37.6.12.2 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j REJECT
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 1433 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 5/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
service iptables save
service iptables restart
my vps acts as email server also but all users login to roundcube only so if is possible to block email needed ports from public it's ok.

Any ideas would be very much appreciated.

Thank you

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: iptables rules

Post by aks » 2019/05/06 07:34:57

drop every output traffic, and log it, except those that has been initiated from an input allow rule.
So all conversations to this machine will always be initiated from outside this machine? This machine will never initiate a network conversation itself? (Wonder how you plan to do updates then!)

I guess in this case, you need to look at the TCP state:

-m state --state NEW,ESTABLISHED,RELATED

The states I've shown are a new connection, an established connection and a related connection (so a response to something allowed in another chain - inbound, forwarded, outbound etc.)

For logging, you can just jump to the LOG chain, as in:

-j LOG --log-level alert

johnyp14
Posts: 4
Joined: 2019/05/05 14:28:39

Re: iptables rules

Post by johnyp14 » 2019/05/06 07:44:01

Thank you for your time to reply, yes server will never initiate an output connection except from some ports from time to time used by apis and ftp so i must open these ports only as output.

Can you post a full line example of opening port 21 and 80 as output please or maybe put these lines to my iptables so i can test them, i am not familiar neither with the right syntax.

Thank you again

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables rules

Post by TrevorH » 2019/05/06 14:08:46

You will need to allow some outbound traffic to allow yum update to work. There are probably other things too - for example, does it run a DNS server? If not then you will probably need to allow outbound packets on port 53 or no name resolving will occur. Likewise, do you aim to run ntp or chrony? Then you need to allow udp port 123 to your nearest time server.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

johnyp14
Posts: 4
Joined: 2019/05/05 14:28:39

Re: iptables rules

Post by johnyp14 » 2019/05/06 15:23:19

Ok, Thank you got the point, let me ask this, how can i log all output traffic that been initiated by server and is not a response to an incoming request?

I am asking this because i try to secure my server after a notice i received that may be infected and trying to hack some wp pages.

Thank you

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: iptables rules

Post by Whoever » 2019/05/06 22:59:08

If you machine is compromised, you need to back up your data, wipe the server and then configure a new one.

As for tracking attempts to hack Wordpress sites, you can take advantage of the fact that these websites will be listening on port 80 and 443. You don't really need to worry about any other ports for outgoing traffic.

Note that you can't block outgoing traffic on these ports, because yum uses them for updates.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: iptables rules

Post by aks » 2019/05/07 17:41:09

Can you post a full line example of opening port 21 and 80 as output please or maybe put these lines to my iptables so i can test them, i am not familiar neither with the right syntax.
You're being lazy! For FTP you will need: ip_conntrack_ftp module loaded (you can search both Google and this forum for details). An example of (being "anal" about what goes where) using port 80:

-A OUTPUT -o <INTERFACE> -s <SRC_IPADDR/32> -d <DEST_IPADDR/32> -m state --state NEW,RELATED -m tcp -p tcp --sport 80 -j ACCEPT

This allows on the output chain (-A=append, OUTPUT=output chain) using <INTERFACE> id (i.e.: eth0 etc) with the source (-s) address <SRC_IPADDR/32> to connect to (-d) <DEST_IPADDR/32> only for NEW or RELATED connections (I've chosen to not allow ESTABLISHED in this example) using source port (--sport 80), over TCP. The /32 is important (in IPv4) - it means "this and only this host". So if the host sends some from <INTERFACE>, using <SRC_IPAADR/32> to <DEST_ADDR/32> over TCP with a source port number of 80 (I've not specified a destination port, it may be more appropriate depending on what the applicaion(s) do), then allow it (-j ALLOW).

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables rules

Post by TrevorH » 2019/05/07 17:48:54

It hasn't been ip_conntrack since about CentOS 5 so ... s/ip_conntrack_ftp/nf_conntrack_ftp/
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

johnyp14
Posts: 4
Joined: 2019/05/05 14:28:39

Re: iptables rules

Post by johnyp14 » 2019/05/07 19:36:53

Well,i i must reinstall the server after all because i found that many distro files has been patched so i am sure that server has been rooted.

I will work on new iptables on the new server.

Thank you

Post Reply