Hi
Today I’ll post a simple Iptables configuration , to harden a server connection , before apply any of this changes remember that if your server brings X services , this configuration will close the server to 2 operating ports
22 SSH and 80 ( HTTP)
All remaining ports will be closed , so be carefull and if you need to open more ports just repeat step 1
0. Open Unix console / SSH console
1.Check your Iptables version
$sudo Iptables -V
2.Allowing Ports ( 22 & 80 ) , If you need more ports to open , this is the way
# /sbin/iptables -A INPUT -i eth0 -p tcp /UDP--dport (portnumber) -j ACCEPT
Opening 22 & 80 !
# /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# /sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
- -A INPUT : our instruction to firewall
- -i eth0 : our interface wanted to apply rule
- -p tcp : protocol , in this case TCP
- –dport 22 : instruction over the port 22
- -j ACCEPT : we accept this traffic ;D
You can list your rules with the command : $Sudo iptables -L ,
as you can see I’ve configured yet , and you can watch the fail2ban rules ( this blocks ssh attackers ip adding iptables deny rules )
# /sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
We see that the default policy is to accept everything = > Chain INPUT ( policy ACCEPT ) .
We want to block all traffic that does not have prior authorization, so we will add the instruction to block all other
ports
3.Before blocking we gonna put this instruction
Then comes a problem: when a connection is to be made from our server to the kernel.org eg server to download the new kernel (just an example) , it will connect to the website and will wait for their response . The connection request will be fine but … will fail the coming back connection
So..we select the state .. because iptables is powerful
# /sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
4. Bloquing
this is the command for blocking all connections , is better REJECT than drop , because the “drop” returns to the senders the answer of a packet request… or wathever they are doing
# /sbin/iptables -A INPUT -i eth0 -j REJECT
Grats , now you have your ports well closed!!
Regards,
Tony.
sevenitblog.com 