For the past two days I’ve been looking into how to set up iptables for a linux machine that acts as a web server, processes email, and also needs FTP and SSH access. I’m wondering if what I have put together to set iptables is enough, and/or, going to impede the server’s functions at all. It’s a basic LAMP setup. I’m also wondering if the order of the rules is basically correct.
I think it’s close, but my main concerns are PHP, MySQL, email and FTP running. Do PHP and MySQL communicate on the localhost level, or do other ports (3306) need to be added? Is there anything I’ve overlooked that should also be added?
Is sendmail in the INPUT necessary? (I couldn’t figure that one out)
Putting together and editing from several resources online, this is what I’ve come up with:
#!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
iptables -F
#
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
#
iptables -A INPUT -s 12.34.56.78 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 98.76.54.0/24 -p tcp --dport 22 -j ACCEPT
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# Set access for localhost
#
iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# FTP
iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT
#
# HTTP/Apache
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#
# SSL/Apache
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#
# POP3
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
#
# Sendmail
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
#
# DirectAdmin
iptables -A INPUT -s 12.34.56.78 -p tcp --dport 2222 -j ACCEPT
iptables -A INPUT -s 98.76.54.0/24 -p tcp --dport 2222 -j ACCEPT
#
# ICMP/Ping:
iptables -A INPUT -p icmp -j ACCEPT
#
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT
#
# Save settings
#
/sbin/service iptables save
#
# List rules
#
iptables -L -v
When a service is running in linux for example SSH port 22 you do not need to create an iptables rule to accept connections these will be automatically accepted.
Have you thought about using fail2ban it works with iptables
I only wanted the two IP’s specified to be able to use SSH. Does that rule not accomplish that?
I want to be sure the machine is locked down as much as possible. The website was recently hacked, and I’m trying to take all measures I can to prevent unauthorized access.
I’m unfamiliar with fail2ban as to what it does, but I’ll check it out.
I’m not 100% sure. It looked like they just logged in, but only two people have the password and the machines were clean (spyware, etc). Going through the logs was quite a pita, and I didn’t see evidence of anything else, but no idea how they might have gotten the password.
Anyway, I’m hoping to still get the firewall squared away, even if it isn’t the only thing I do. SSH is only one part of what I’m hoping to gain more control over.
I did. There was a single foreign (not our IP) log in, but not on the day the home page changed. It was a successful login though, not from us, using the main account. But on the day the home page changed, I couldn’t see any transfer of the file that was replaced in the FTP log, so that didn’t make sense to me. My worry was they used the file manager in DirectAdmin. That’s why I’m trying to only allow access to certain IPs via a firewall.
I already have SSH limited to our IP using the hosts.allow and hosts.deny files, but it didn’t work with FTP and the DA control panel is another issue.
I’m just trying to secure this machine now, not just worried about SSH.
fail2ban is a toy; check out CSF from www.configserver.com which is what you really want. It provides much more complete firewall and auto-ban management. Test it carefully to ensure it works on your system - it works well without cPanel, but there’s a little to learn.