How to Harden IPTABLES in your Ubuntu/debian Server

iptablesHi

Today I’ll post a simple Iptables configuration , to harden a server connection , before apply any of this changes remember that if  your server brings X services , this configuration will close the server to 2 operating ports

22 SSH and 80 ( HTTP)

All remaining ports will be closed , so be carefull  and if you need to open more ports just repeat step 1

0. Open  Unix console / SSH console

1.Check your Iptables version 

$sudo Iptables -V

2015-08-05 10_38_06-desktop@ns315165_ ~

2.Allowing Ports ( 22 & 80 ) , If you need more ports to open , this is the way

# /sbin/iptables -A INPUT -i eth0 -p tcp /UDP--dport (portnumber) -j ACCEPT

Opening 22 & 80 !

# /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# /sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

  • -A INPUT : our instruction to firewall
  • -i eth0 : our interface wanted to apply rule
  • -p tcp : protocol , in this case TCP
  • –dport 22 : instruction over the port 22
  • -j ACCEPT : we accept this traffic ;D

You can list your rules with the command : $Sudo iptables -L ,

as you can see I’ve configured yet , and you can watch the fail2ban rules ( this blocks ssh attackers ip adding iptables deny rules )

# /sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

We see that the default policy is to accept everything = > Chain INPUT ( policy ACCEPT ) .

We want to block all traffic that does not have prior authorization, so we will add the instruction to block all other

ports

3.Before blocking we gonna put this instruction

Then comes a problem: when a connection is to be made from our server to the kernel.org eg server to download the new kernel (just an example) , it will connect to the website and will wait for their response . The connection request will be fine but … will fail the coming back connection

So..we select the state .. because iptables is powerful

# /sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

4. Bloquing

this is the command for blocking all connections , is better REJECT than drop , because the “drop” returns to the senders the answer of a packet request… or wathever they are doing

# /sbin/iptables -A INPUT -i eth0 -j REJECT

Grats , now you have your ports well closed!!

Regards,

Tony.

Advertisements

One response to “How to Harden IPTABLES in your Ubuntu/debian Server

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s