A Hacker's Journey: from Cook to Chef

13 Set up firewall for production site

Do you need to set up a firewall for your production site? It depends. If you are running a blogging website empowered by Wordpress on a shared hosting service, maybe setting up a firewall is an overkill or you may not be able to do it. All you need to do is a secure connection via SSH to upload/download files and backup your data once in a while.

However, if you are running an eCommerce website with lots of financial data stored on the hosting service, it could be critical to have a firewall protection. Usually websites from large corporations just have their HTTPD server sitting in the DMZ (Demilitarized Zone) to route the HTTPD requests to the application servers and database servers hiding behind the corporate firewall. But before we can afford to put this kind of infrastructure in place, we can still work out simple solutions to protect the servers on the hosting site.

The basic idea is to restrict the access as much as possible except the necessary connections. The hard part is that initially if you don't set it properly, you may lock yourself out from SSH. And it's not that simple to avoid because the rules are not independent, they are related. You may play with it directly on the hosting site so that just in case you are locked out, you can have the hosting service to stop the iptables service for you. If you play with it on your virtual machine, make sure to keep an image with the firewall off before you have everything working.

The reason I put this topic right after the initial set up and before the application deployment is: you don't want to screw up things after you have everything ready but firewall. So try it when the hosting site is pretty empty, if the worst case happens and you have re-provision the whole site, the cost is really low. The last thing is: well document the rules you have set and test the rules defined in the iptables after everything is flushed so that it will work for any new environment next time you need to repeatedly set up.

Below there are some necessary information and practical guidelines to follow on the centOS or RHEL platform, mainly for a individual hosting site. It does not cover the complete firewall set up for an intranet.