iptables rules for a Linux web server.

Support for security such as Firewalls and securing linux
giulix63
Posts: 1305
Joined: 2014/05/14 10:06:37
Location: GMT

Re: iptables rules for a Linux web server.

Post by giulix63 » 2016/03/09 09:43:00

My understanding is that the OP flushed any existing rules and replaced them with the above new set:
hack3rcon wrote: I have some questions, If I flash these rules and replace them with below can my web server failed :
Please advise if that's not the case...
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.

User avatar
TrevorH
Forum Moderator
Posts: 27417
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables rules for a Linux web server.

Post by TrevorH » 2016/03/09 09:57:01

Yes but if you do not know what the existing rules do, how can you say if the new ones are better/worse/equivalent?
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

giulix63
Posts: 1305
Joined: 2014/05/14 10:06:37
Location: GMT

Re: iptables rules for a Linux web server.

Post by giulix63 » 2016/03/09 10:19:51

By subtraction. If the old rules didn't allow for HTTP, HTTPS and SSH or allowed for more, than the new rules differ; else, they are the same :)

Seriously, I thought the OP was asking if the new rules are consistent with running a web server and in my opinion they are. Apologies if I got that wrong...
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.

hack3rcon
Posts: 460
Joined: 2014/11/24 11:04:37

Re: iptables rules for a Linux web server.

Post by hack3rcon » 2016/03/09 14:38:31

TrevorH wrote:And since your existing rules are completely incomprehensible we have no way to tell if the new ones will do the same as the old ones.
My rules are:

Code: Select all

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  google-public-dns-a.google.com  anywhere             tcp dpt:domain
ACCEPT     udp  --  google-public-dns-a.google.com  anywhere             udp dpt:domain
ACCEPT     tcp  --  google-public-dns-a.google.com  anywhere             tcp spt:domain
ACCEPT     udp  --  google-public-dns-a.google.com  anywhere             udp spt:domain
ACCEPT     tcp  --  XXXX.nrp.co     anywhere             tcp dpt:domain
ACCEPT     udp  --  XXXX.nrp.co     anywhere             udp dpt:domain
ACCEPT     tcp  --  XXXX.nrp.co     anywhere             tcp spt:domain
ACCEPT     udp  --  XXXX.nrp.co     anywhere             udp spt:domain
LOCALINPUT  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
INVALID    tcp  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:infocrypt
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:EtherNet/IP-1
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:ftp-data
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:domain
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply limit: avg 1/sec burst 5
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
LOGDROPIN  all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             google-public-dns-a.google.com  tcp dpt:domain
ACCEPT     udp  --  anywhere             google-public-dns-a.google.com  udp dpt:domain
ACCEPT     tcp  --  anywhere             google-public-dns-a.google.com  tcp spt:domain
ACCEPT     udp  --  anywhere             google-public-dns-a.google.com  udp spt:domain
ACCEPT     tcp  --  anywhere             XXXX.nrp.co     tcp dpt:domain
ACCEPT     udp  --  anywhere             XXXX.nrp.co     udp dpt:domain
ACCEPT     tcp  --  anywhere             XXXX.nrp.co     tcp spt:domain
ACCEPT     udp  --  anywhere             XXXX.nrp.co     udp spt:domain
LOCALOUTPUT  all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:domain
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
ACCEPT     all  --  anywhere             anywhere            
INVALID    tcp  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:infocrypt
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:auth
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:EtherNet/IP-1
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:ftp-data
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:auth
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:ntp
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
LOGDROPOUT  all  --  anywhere             anywhere            

Chain ALLOWIN (1 references)
target     prot opt source               destination         
ACCEPT     all  --  XXXX.nrp.co     anywhere            

Chain ALLOWOUT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             XXXX.nrp.co    

Chain DENYIN (1 references)
target     prot opt source               destination         
DROP       all  --  46.36.108.66         anywhere            

Chain DENYOUT (1 references)
target     prot opt source               destination         
LOGDROPOUT  all  --  anywhere             XXXXX        

Chain INVALID (2 references)
target     prot opt source               destination         
INVDROP    all  --  anywhere             anywhere             ctstate INVALID
INVDROP    tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
INVDROP    tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
INVDROP    tcp  --  anywhere             anywhere             tcp flags:FIN,SYN/FIN,SYN
INVDROP    tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN,RST
INVDROP    tcp  --  anywhere             anywhere             tcp flags:FIN,RST/FIN,RST
INVDROP    tcp  --  anywhere             anywhere             tcp flags:FIN,ACK/FIN
INVDROP    tcp  --  anywhere             anywhere             tcp flags:PSH,ACK/PSH
INVDROP    tcp  --  anywhere             anywhere             tcp flags:ACK,URG/URG
INVDROP    tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN ctstate NEW

Chain INVDROP (10 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain LOCALINPUT (1 references)
target     prot opt source               destination         
ALLOWIN    all  --  anywhere             anywhere            
DENYIN     all  --  anywhere             anywhere            

Chain LOCALOUTPUT (1 references)
target     prot opt source               destination         
ALLOWOUT   all  --  anywhere             anywhere            
DENYOUT    all  --  anywhere             anywhere            

Chain LOGDROPIN (1 references)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere             tcp dpt:bootps
DROP       udp  --  anywhere             anywhere             udp dpt:bootps
DROP       tcp  --  anywhere             anywhere             tcp dpt:bootpc
DROP       udp  --  anywhere             anywhere             udp dpt:bootpc
DROP       tcp  --  anywhere             anywhere             tcp dpt:sunrpc
DROP       udp  --  anywhere             anywhere             udp dpt:sunrpc
DROP       tcp  --  anywhere             anywhere             tcp dpt:auth
DROP       udp  --  anywhere             anywhere             udp dpt:auth
DROP       tcp  --  anywhere             anywhere             tcp dpts:epmap:netbios-ssn
DROP       udp  --  anywhere             anywhere             udp dpts:epmap:netbios-ssn
DROP       tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpt:microsoft-ds
DROP       tcp  --  anywhere             anywhere             tcp dpt:isakmp
DROP       udp  --  anywhere             anywhere             udp dpt:isakmp
DROP       tcp  --  anywhere             anywhere             tcp dpt:login
DROP       udp  --  anywhere             anywhere             udp dpt:who
DROP       tcp  --  anywhere             anywhere             tcp dpt:efs
DROP       udp  --  anywhere             anywhere             udp dpt:router
LOG        tcp  --  anywhere             anywhere             limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *TCP_IN Blocked* "
LOG        udp  --  anywhere             anywhere             limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *UDP_IN Blocked* "
LOG        icmp --  anywhere             anywhere             limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *ICMP_IN Blocked* "
DROP       all  --  anywhere             anywhere            

Chain LOGDROPOUT (2 references)
target     prot opt source               destination         
LOG        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 30/min burst 5 LOG level warning uid prefix "Firewall: *TCP_OUT Blocked* "
LOG        udp  --  anywhere             anywhere             limit: avg 30/min burst 5 LOG level warning uid prefix "Firewall: *UDP_OUT Blocked* "
LOG        icmp --  anywhere             anywhere             limit: avg 30/min burst 5 LOG level warning uid prefix "Firewall: *ICMP_OUT Blocked* "
DROP       all  --  anywhere             anywhere            

If SSH is open when I do SSH it show me :
ssh: connect to host localhost port 22: Connection refused

I did below iptables rules :

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

and after save it my server take down and Apche can't up :( and I restored my iptables rules :(

What id your idea?

giulix63
Posts: 1305
Joined: 2014/05/14 10:06:37
Location: GMT

Re: iptables rules for a Linux web server.

Post by giulix63 » 2016/03/09 17:36:14

I suggest you first try a simple configuration and build up from there. For instance, your 5th post here lists a configuration that is pretty straightforward and should allow for SSH, HTTP and HTTPS connections. Then, once you have verified that everything is working, you add more rules. That way, if something breaks, you can always revert back to the last working configuration (provided you keep track of each). Also, make sure that the services (sshd, httpd) are properly started:

Code: Select all

systemctl -l start sshd
systemctl -l start httpd
If you have trouble connecting via SSH, try running the comand like this:

Code: Select all

ssh -vv user@host
This will start ssh in verbose mode and should provide some hints on what is actually going wrong.
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.

hack3rcon
Posts: 460
Joined: 2014/11/24 11:04:37

Re: iptables rules for a Linux web server.

Post by hack3rcon » 2016/03/11 08:30:59

giulix63 wrote:I suggest you first try a simple configuration and build up from there. For instance, your 5th post here lists a configuration that is pretty straightforward and should allow for SSH, HTTP and HTTPS connections. Then, once you have verified that everything is working, you add more rules. That way, if something breaks, you can always revert back to the last working configuration (provided you keep track of each). Also, make sure that the services (sshd, httpd) are properly started:

Code: Select all

systemctl -l start sshd
systemctl -l start httpd
If you have trouble connecting via SSH, try running the comand like this:

Code: Select all

ssh -vv user@host
This will start ssh in verbose mode and should provide some hints on what is actually going wrong.
Output is :

Code: Select all

OpenSSH_6.7p1 Debian-5+deb8u1, OpenSSL 1.0.1k 8 Jan 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to example.com [ip] port 22.
debug1: connect to address ip port 22: Connection timed out
ssh: connect to host example.com port 22: Connection timed out
My problem is that the real iptables rules written by provider and I want to know if I flush it and write my new iptables rules can it hurt my web site?

giulix63
Posts: 1305
Joined: 2014/05/14 10:06:37
Location: GMT

Re: iptables rules for a Linux web server.

Post by giulix63 » 2016/03/11 09:27:32

Either sshd is not running on the server or it is filtering port 22. I tested on an up-to-date C7 virtual machine the rules in your 5th post and they work fine, both for SSH and HTTP.
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.

hack3rcon
Posts: 460
Joined: 2014/11/24 11:04:37

Re: iptables rules for a Linux web server.

Post by hack3rcon » 2016/03/11 11:11:31

giulix63 wrote:Either sshd is not running on the server or it is filtering port 22. I tested on an up-to-date C7 virtual machine the rules in your 5th post and they work fine, both for SSH and HTTP.
Can you look at my iptables rules? I mean is current iptables. Provider written it and if I flush it and write new iptables rules then can it cause any problem?

giulix63
Posts: 1305
Joined: 2014/05/14 10:06:37
Location: GMT

Re: iptables rules for a Linux web server.

Post by giulix63 » 2016/03/11 13:26:09

Honestly, I wouldn't know what to make of those rules, but I am not a network expert. For instance, what good can come from having a set of rules that allows Google DNSs to connect to your box? Then you have a bunch of rules that are anonymized: Can't make out what they are. Then it jumps to the LOCALINPUT chain, which in turn jumps to the ALLOWIN and DENYIN chains. The first accepts everything from an anonymized domain (again don't know what that is); the second drops everything originating from IP address 46.36.108.66 (again, no idea what that is, except that it's an address somewhere in IRAN). Then it all jumps back and the next rule in sequence is

Code: Select all

ACCEPT     all  --  anywhere             anywhere
which basically opens up your system to all sort of traffic from everywhere. So, you get the idea...
Foe example, I favour the rule that trusts connections initiated on your side

Code: Select all

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
like you have in the proposed new set, but that's because I am usually the only user of my systems. Nevertheless, the first thing I would do is ditch those rules (your provider's) and install some tool I trust. Personally, I trust shorewall, but for a game server, for instance, even firewalld is more than enough.
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.

hack3rcon
Posts: 460
Joined: 2014/11/24 11:04:37

Re: iptables rules for a Linux web server.

Post by hack3rcon » 2016/03/11 13:35:19

giulix63 wrote:Honestly, I wouldn't know what to make of those rules, but I am not a network expert. For instance, what good can come from having a set of rules that allows Google DNSs to connect to your box? Then you have a bunch of rules that are anonymized: Can't make out what they are. Then it jumps to the LOCALINPUT chain, which in turn jumps to the ALLOWIN and DENYIN chains. The first accepts everything from an anonymized domain (again don't know what that is); the second drops everything originating from IP address 46.36.108.66 (again, no idea what that is, except that it's an address somewhere in IRAN). Then it all jumps back and the next rule in sequence is

Code: Select all

ACCEPT     all  --  anywhere             anywhere
which basically opens up your system to all sort of traffic from everywhere. So, you get the idea...
Foe example, I favour the rule that trusts connections initiated on your side

Code: Select all

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
like you have in the proposed new set, but that's because I am usually the only user of my systems. Nevertheless, the first thing I would do is ditch those rules (your provider's) and install some tool I trust. Personally, I trust shorewall, but for a game server, for instance, even firewalld is more than enough.
Can you tell me more clear? In your idea my current Rules are Odd?

Post Reply

Return to “CentOS 7 - Security Support”