Technical Recipes

How to set up firewall on Linux hosting site (part II)

0 Use iptables command directly

    iptables commands can be entered live and will take effect immediately 

    # iptables <rule>

    Initially when you receive a brand new hosting service with Linux OS, the firewall service is not started and there is no rule defined in file /etc/sysconfig/iptables. You can create and test the rules before committing it to the /etc/sysconfig/iptables file.

    If you are using remote SSH to set up the firewall on the hosting site, be careful when you use the DROP all as the default policy. It will close every port for input and output. Right after you execute the rules, you are kicked out from remote SSH. If you really need to do it, run it on the physical Linux machine. But you can always use ACCEPT all as default policy and drop the rest after the specific rules are defined.

1. Reset firewall rules in iptables

    At any time when you need to test your firewall using the iptables file, you may need to flush all the existing rules you have created and reset it to the original state which allows everything to pass.

    1.1 Create a shell script file called iptables_reset.sh
	
    #!/bin/sh
    echo "Flushing iptables rules..."
    sleep 1
    iptables -F      // flush all chains
    iptables -X      // delete all chains
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT

    1.2 Make the file executable

    # chmod +x iptables_reset.sh

    1.3 Run the script

    # ./iptables_reset.sh

2. List iptables rules

    # iptables -nvL (-n prevents slow reverse DNS lookup)

    You can list other tables using -t:

    # iptables -L -t nat

    How to view blocked IP address?

    # iptables -L INPUT -v -n

    How to search for blocked IP address?

    # iptables -L INPUT -v -n | grep 1.2.3.4

3. Add typical iptables rules in the configuration file

    3.1 Block incoming request from IP Address 1.2.3.4

    	-A INPUT -s 1.2.3.4 -j REJECT/DROP

        or

    	-I INPUT -i eth1 -s 1.2.3.4 -j REJECT/DROP

        when the "!" argument is used before the interface name, the sense is inverted:

    	-I INPUT ! -i eth1 -s 1.2.3.4 -j DROP

        If the interface name ends in a "+", then any interface which begins with this name will match. 

    	-I INPUT  -i eth+ -s 1.2.3.4 -j DROP

    3.2 Block subnet

        Use the following syntax to block 10.0.0.0/8 on eth1 public interface:

    	-i eth1 -A INPUT -s 10.0.0.0/8 -j DROP

    3.3 Insert a separate line for logging before the particular rule of ACCEPT/REJECT/DROP

    	-A INPUT -p tcp --dport 3306 -j LOG
    	-A INPUT -p tcp --dport 3306 -j ACCEPT

    3.4 Block access to port from IP address

    	-A INPUT -s 202.54.1.1 -p tcp --dport 80 -j DROP
    	-A INPUT -s 202.54.1.2/29 -p tcp --dport 80 -j DROP
    
    3.5 Allow SSH, HTTP and SSL
		
    	-A INPUT -p tcp --dport 22 -j ACCEPT    // sshd
    	-A INPUT -p tcp --dport 80 -j ACCEPT    // apache httpd
    	-A INPUT -p tcp --dport 443 -j ACCEPT   // apache ssl

    3.6 Insert a rule in a specific location in an existing chain

    	-I INPUT 1 -i lo -p all -j ACCEPT

        This rule is inserted as the first rule in the INPUT chain to allow local loopback device traffic.

    	You may change the log level to any level you want. The levels are, 0 emerg, 1 alert, 2 crit, 3 err, 4 warning, 5 notice, 6 info, 7 debug. You can use the number or the word in the rule.

    3.7 Enable remote Ping

        The Internet Control Message Protocol (ICMP) is used a lot for networked computers to send messages through the network for indicating the status of services. It is not used for sending and receiving data between the nodes except in some diagnostic tools like Ping, traceroute, Arp etc.

        There are two types of ICMP message to enable Ping through iptables:

    	0 - Echo Reply
    	8 - Echo Request

    	3.7.1 Allow ping request in Server and reply them back to clients
		
    	-A INPUT -p icmp --icmp-type 8 -s 0/0 -d $server_ip -m state --state NEW,ESTABLISHED -j ACCEPT
    	-A OUTPUT -p icmp --icmp-type 0 -s $Server_ip -d 0/0 -m state --state ESTABLISHED -j ACCEPT

    	3.7.2 Allow Linux machine to ping other Machines
		
    	-A OUTPUT -p icmp --icmp-type 8 -s $server_ip -d 0/0 -m state --state NEW,ESTABLISHED -j ACCEPT
    	-A INPUT -p icmp --icmp-type 0 -s 0/0 -d $server_ip -m state --state ESTABLISHED -j ACCEPT

    3.8 Block all the rest from INPUT request connection and log dropped IP address information

    	-i eth1 -A INPUT -j LOG --log-level 4 --log-prefix "IP DROP SPOOF A:"
    	-A INPUT -j REJECT/DROP  // Close up firewall. All else blocked.

    3.9 Block outgoing request from LAN IP 192.168.1.200

    	-A OUTPUT -s 192.168.1.200 -j DROP

    3.10 Log and drop any invalid packets
    
    	Hackers try many methods to access computers, one is to send invalid packets. If they are not mentioned in the rules, your computer may be vulnerable.
	
    -A INPUT -m state --state INVALID -j LOG --log-level 4 --log-prefix 'Invalid Drop: '
	-A INPUT -m state --state INVALID -j DROP

        This rule is inserted as the first rule at the very beginning.

4. Delete blocked IP address

    4.1 Display blocked IP address with the line number

    	# iptables -L INPUT -n --line-numbers

    	# iptables -L INPUT -n --line-numbers | grep 1.2.3.4

    4.2 Delete the rule with the line number, e.g., 3 or using the IP address

    	# iptables -D INPUT 3

        or

    	# iptables -D INPUT -s 1.2.3.4 -j DROP

5. Save iptables rules

    Changes to iptables are transitory; if the system is rebooted or if the iptables service is restarted, the rules are automatically flushed and reset. To save the rules so that they are loaded when the iptables service is started, use the following command as the root user:

    # service iptables save	

    This executes the iptables init script, which runs the /sbin/iptables-save program and writes the current iptables configuration to /etc/sysconfig/iptables. The existing /etc/sysconfig/iptables file is saved as /etc/sysconfig/iptables.save.
 
    The next time the system boots, the iptables init script reapplies the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command.

    While it is always a good idea to test a new iptables rule before committing it to the /etc/sysconfig/iptables file, it is possible to copy iptables rules into this file from another system's version of this file. This provides a quick way to distribute sets of iptables rules to multiple machines.
 
    You can also save the iptables rules to a separate file for distribution, backup, or other purposes. To do so, run the following command as root:
 
    # iptables-save > <filename>

    You can restore the firewall settings from file:

    # iptables-restore < <filename>

6. Use iptables control scripts

    # service iptables start/stop/restart/status/reload/panic/save

    reload - If a firewall is running, the firewall rules are reloaded from the configuration file. The advantage of not flushing the current firewall rules is that if the new rules can not be applied, because of an error in the rules, the old rules are still in place.

    restart - If a firewall is running, the firewall rules in memory are flushed, and the firewall is started again if it is configured in /etc/sysconfig/iptables. This option only works if the ipchains kernel module is not loaded.

    panic - Flushes all firewall rules. The policy of all configured tables is set to DROP. This option could be useful if a server is known to be compromised. Rather than physically disconnecting from the network or shutting down the system, you can use this option to stop all further network traffic but leave the machine in a state ready for analysis or other forensics.

    save - Saves firewall rules to /etc/sysconfig/iptables using iptables-save.

7. iptables Control Scripts Configuration File

    The behavior of the iptables initscripts is controlled by the /etc/sysconfig/iptables-config configuration file.

8. Enable firewall at boot time

    Firewall is activated immediately after saving to the iptables file, but the iptables service is not configured to start automatically at boot time. To ensure that iptables starts when system is booted, use the following command:

    # chkconfig -level 345 iptables on