We talked about a primitive guide on all step to get started with a blank server and SSH.Iptables, ip6tables are used to maintain packet filter rules in the Linux kernel. IPTables Basics Chapter 1 is Intended For the New Blank Cloud Server or Dedicated Server Users. It is Must to Read Before Executing Commands. We will not go towards to much complicated theoretical matters. Ubuntu has guide on iptables (you should read it as as additional iptables basics), however, what we are saying is not written in commonly known websites. Situation like getting flooded on SSH by attack like we described in this article is not uncommon. pam_unix(sushi:auth): authentication failure error can make the root user unable to run commands. We need precautions for not allowing it to easily happen.
Again – these ways are not substitute for nightly backup of whole FTP, database on some server or storage.
iptables Basics : Do Not Run Commands to Drop Everything Without Knowing
Quite commonly, new users run commands following the guides from various web hosts and end up locking up themselves. Know it quite well – system administrator of web host of any virtual server, cloud server i.e. server instance running on virtualization can reset or flush iptables on request regardless of the plan is managed or unmanaged. Complicated route to hack own server to reset rules out of wrong iptables rules is remotely possible, rather it can be impossible. For dedicated servers and colocation servers, it can be very difficult to reset iptables. In case you are under attack, instead of reading this guide you should approach in the way we described.
iptables Basics : Create an Automatic Default iptables rules Restore System While Testing
L is listing.
D is delete.
A is addition.
F is flush.
P is policy.
X is delete chain xxxxx
If you create an automatic default iptables rules restore system while testing to reset it back every 15 minutes or so, you can really play with iptables. Guides from various web hosts never say this basic. In case of Ubuntu, iptables rules are saved in /etc/iptables/rules.v4 file. Please find documentation about the location your server operating system saves the rules. We can run a cat on the file so see :
1 | cat /etc/iptables/rules.v4 |
You will manually save the successful file at root’s home as backup with this command :
1 | cp /etc/iptables/rules.v4 /root/rules.v4 |
ONLY run the command when you are 100% sure about the settings. Else cat the current file :
1 | cat /etc/iptables/rules.v4 |
Highlight, copy and paste on Github as gist. Now, open cron with the command :
1 | crontab -e |
If you add this at the end :
1 | */10 * * * * cp /root/rules.v4 /etc/iptables/rules.v4 |
iptables will get flushed every 10 minutes with saved file from /root/rules.v4. That needs verification with change on iptables. Add a line on /etc/iptables/rules.v4 like this :
1 | ## testing should disappear |
Make fully sure that your server operating system really saves on /etc/iptables/rules.v4. Use easy rules first. Take that 167.114.0.192 is your current dynamic IP of internet connection. If you block it :
1 | iptables -D INPUT -s 167.114.0.192 -j DROP |
You can not SSH from that server to your server under question for 10 minutes. ISP usually allocate dynamic IP address or you can SSH from other internet connection, blocking own self is safe to check rules than throwing stones at the others at the very beginning. When you will not need the automatic deletion, simply comment out that line from cron :
1 2 3 | crontab -e ## iptables auto delete and restore # */10 * * * * cp /root/rules.v4 /etc/iptables/rules.v4 |
Advertisement
---
iptables Basics : Understand the Syntax and Order of Logics
These are quite dangerous commands to run at the beginning :
1 2 3 | iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP |
Unless you made our described Automatic Default iptables rules Restore System While Testing, you may start to cry if you already have not applied any allow rule to accept and continue using SSH. You will be kicked out of the session and just can not SSH.
If we run :
1 | iptables -L |
we will get the list of rules. To be very honest, everything written on :
1 | man iptables |
and our previous guide for iptables and security will do the basic.
You should understand input, output and forward. Ingress and Egress are terminology for router or virtual router. Web server is not normally router. We say 3 types of matters – input, output and forward. You are reading this webpage as port 443 output is widely allowed. If you try to SSH to our server, that input request will be dropped or rejected to forward. Make terminal full screen and run this :
1 | iptables -n -L -v --line-numbers |
You will see line numbers. We can filter the output more with :
1 | iptables -L OUTPUT -n -v --line-numbers |
We can combine both :
1 | iptables -L INPUT 1 |
The 1 in the above command is line number.
If I need to add a rule to block the IP 167.114.0.192 on line number 2, I will run :
1 | iptables -I INPUT 2 -s 167.114.0.192 -j DROP |
Drop and Reject has difference. Drop means as if the server’s that port or function does not exist. Reject is softer Drop – it do acknowledge that server’s that port or fiction exists. Suppose if we Drop the port to ping, it will appear as 100% loss – many services need to understand that amount of loss to mark as server is up or online. With Reject, the loss will be 0%.
This is an example of correct order of policy written on /etc/iptables/rules.v4 file :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | *filter :INPUT ACCEPT [184:15853] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [29:2844] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT -A INPUT -j DROP -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A FORWARD -j DROP -A OUTPUT -j ACCEPT COMMIT |
Why correct? First we are saying to accept port 22, port 80 etc. Thereafter we are saying -A INPUT -j DROP. That means – allow on mentioned ports, then disallow ALL OTHER ports.
But this is wrong order of logic :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | *filter :INPUT ACCEPT [184:15853] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [29:2844] -A INPUT -j DROP -A FORWARD -j DROP -A OUTPUT -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT COMMIT |
We are saying to Drop all the ports on the first instance. Also we have not said to continue the current connection. Now to maintain the correct logical hierarchy, I need to run these first :
1 2 3 | iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --policy FORWARD DROP |
Before allowing the ports. Funnily, that will kick out me from SSH. But if we run cron to run the set of commands, that will not happen. Alternatively, we can copy-paste rules in correct order. Tutorials commonly begin with :
1 2 3 4 | iptables --flush iptables -t nat --flush iptables -t mangle --flush iptables --policy OUTPUT ACCEPT |
to make sure that the order is maintained. But, basically the kicking out is not really practical to prevent. To make ensure to allow all established connections and on-going sessions through the firewall, we need to run :
1 | iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
or, we can directly write to the file
1 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
More precisely, under Chain INPUT (policy DROP) we should have it :
1 2 3 4 5 | Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state NEW ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp set:http |
Ready to use stuffs definitely available, next good guides and sources are :
1 2 3 4 5 | http://www.pettingers.org/code/firewall.html http://www.okean.com/thegoods.html https://github.com/Happy-Dude/dotfiles/tree/master/iptables http://www.openbl.org/lists/ https://hackertarget.com/about/ |
It is really impractical idea today to use only few easy policies.
What We Learned From iptables Basics, Chapter 1
- We should create an automatic default iptables rules restore system while testing to reset it back every few minutes
- We can request web host to reset iptables in case of cloud server, virtual server
- iptables saves rules in a file
- iptables follow and order to read the rules from the file
- We can directly run iptables commands or run via script with cron or copy paste from ready to use file
If you are done with this chapter, read iptables Basics : Chapter 2.
