Iptables for web server

Hello everyone,

For the past two days I’ve been looking into how to set up iptables for a linux machine that acts as a web server, processes email, and also needs FTP and SSH access. I’m wondering if what I have put together to set iptables is enough, and/or, going to impede the server’s functions at all. It’s a basic LAMP setup. I’m also wondering if the order of the rules is basically correct.

I think it’s close, but my main concerns are PHP, MySQL, email and FTP running. Do PHP and MySQL communicate on the localhost level, or do other ports (3306) need to be added? Is there anything I’ve overlooked that should also be added?
Is sendmail in the INPUT necessary? (I couldn’t figure that one out)

Putting together and editing from several resources online, this is what I’ve come up with:

#!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
 iptables -F
#
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
#
 iptables -A INPUT -s 12.34.56.78 -p tcp --dport 22 -j ACCEPT
 iptables -A INPUT -s 98.76.54.0/24 -p tcp --dport 22 -j ACCEPT
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
#
# Set access for localhost
#
 iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# FTP
 iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT
#
# HTTP/Apache
 iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#
# SSL/Apache
 iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#
# POP3
 iptables -A INPUT -p tcp --dport 110 -j ACCEPT
#
# Sendmail
 iptables -A INPUT -p tcp --dport 25 -j ACCEPT
#
# DirectAdmin
 iptables -A INPUT -s 12.34.56.78 -p tcp --dport 2222 -j ACCEPT
 iptables -A INPUT -s 98.76.54.0/24 -p tcp --dport 2222 -j ACCEPT
#
# ICMP/Ping:
 iptables -A INPUT -p icmp -j ACCEPT
#
 iptables -A INPUT -j REJECT
 iptables -A FORWARD -j REJECT
#
# Save settings
#
 /sbin/service iptables save
#
# List rules
#
 iptables -L -v

Any assistance is greatly appreciated.

Thank you for your time.

When a service is running in linux for example SSH port 22 you do not need to create an iptables rule to accept connections these will be automatically accepted.

Have you thought about using fail2ban it works with iptables

I only wanted the two IP’s specified to be able to use SSH. Does that rule not accomplish that?

I want to be sure the machine is locked down as much as possible. The website was recently hacked, and I’m trying to take all measures I can to prevent unauthorized access.

I’m unfamiliar with fail2ban as to what it does, but I’ll check it out.

Thanks.

This rule allows the two IP addresses but also allows all other IP addresses.

The best way to only allow two IP addresses SSH access is to edit the /etc/ssh/sshd_config look for the option AllowUsers.

Do you know how you got hacked?

I’m not 100% sure. It looked like they just logged in, but only two people have the password and the machines were clean (spyware, etc). Going through the logs was quite a pita, and I didn’t see evidence of anything else, but no idea how they might have gotten the password.

Anyway, I’m hoping to still get the firewall squared away, even if it isn’t the only thing I do. SSH is only one part of what I’m hoping to gain more control over.

For the best security use SSHKeys this will really secure SSH.

Did you check ftp logs?

I did. There was a single foreign (not our IP) log in, but not on the day the home page changed. It was a successful login though, not from us, using the main account. But on the day the home page changed, I couldn’t see any transfer of the file that was replaced in the FTP log, so that didn’t make sense to me. My worry was they used the file manager in DirectAdmin. That’s why I’m trying to only allow access to certain IPs via a firewall.

I already have SSH limited to our IP using the hosts.allow and hosts.deny files, but it didn’t work with FTP and the DA control panel is another issue.

I’m just trying to secure this machine now, not just worried about SSH.

The AllowUsers directive for ssh let’s you specify allowed usernames that can login. Also disable root login from your /etc/ssh/sshd_config file.

Install and regularly run rkhunter as well. It can be a big help in identifying intrusions.

fail2ban is a toy; check out CSF from www.configserver.com which is what you really want. It provides much more complete firewall and auto-ban management. Test it carefully to ensure it works on your system - it works well without cPanel, but there’s a little to learn.