IPTABLES for my webserver

- J
- joe10001
  
  Contact options for registered users
posted
18 years ago

Sat, Nov 19, 2005 6:28 PM

Hi everyone, I'm kind of new to iptables but I read a lot on the matter.I would like to know if my iptables rules are right. I will show you and explain how my network is organised.

NETWORK

Modem (ADSL) Dlink Router Web apache server ____ ____ _______ |____|--------------------------|____|-----------------| | ____ | \\ ____ |______|

|____| |___| comp1 comp2

Dlink router ip address :192.168.0.1 Comp1 ip address :192.168.0.15 Comp2 ip address :192.168.0.16 Web server ip address (debian) :192.168.0.130

CASE:

-My router forward all requests made on the 80 and 443 ports to the web server (192.168.0.130).I would like to accept on the web server only those 2 kind of request coming from the router (even if the router only send those one).

- Only the 2 computers can connect to the web server via SSH (22).

-Another thing that would be nice is to use the mangle table to put a priority on all request coming from 80 and 443 ports . But I think this kind of rules should be made on the router ...

SCRIPT ###################################################################### iptables -t filter -F iptables -t filter -X iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP

iptables -t nat -F iptables -t nat -X iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P POSTROUTING ACCEPT

iptables -t mangle -F iptables -t mangle -X iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P INPUT ACCEPT iptables -t mangle -P FORWARD ACCEPT iptables -t mangle -P OUTPUT ACCEPT iptables -t mangle -P POSTROUTING ACCEPT

echo 0 > /proc/sys/net/ipv4/ip_forward

####### LOCALHOST #######

iptables -t filter -A OUTPUT -o lo -p all -j ACCEPT iptables -t filter -A INPUT -i lo -p all -j ACCEPT

####### LAN ####### # Network iptables -t filter -A OUTPUT -o eth0 -s 192.168.0.130 -d 192.168.0.15

-p all --sport 22 -j ACCEPT iptables -t filter -A INPUT -i eth0 -s 192.168.0.15 -d 192.168.0.130

-p all --sport 22 -j ACCEPT iptables -t filter -A OUTPUT -o eth0 -s 192.168.0.130 -d 192.168.0.16

-p all --sport 22 -j ACCEPT iptables -t filter -A INPUT -i eth0 -s 192.168.0.16 -d 192.168.0.130

-p all --sport 22 -j ACCEPT

# broadcast (maybe it's not a good idea) #iptables -t filter -A OUTPUT -o eth0 -s 192.168.0.130 -d 192.168.0.255

-p all -j ACCEPT #iptables -t filter -A INPUT -i eth0 -s 192.168.0.255 -d 192.168.0.130

-p all -j ACCEPT

####### INTERNET ####### modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_conntrack_irc

iptables -t filter -A OUTPUT -o eth0 -s 192.168.0.30 -d 192.168.0.1 -p all --sport 80, 443 -m state --state ! INVALID -j ACCEPT

iptables -t filter -A INPUT -i eth0 -s 192.168.0.30 -d 192.168.0.1 -p all --sport 80, 443 -m state --state RELATED,ESTABLISHED -j ACCEPT

######################################################################

but when I use this script, my website is down. I'm new to this so maybe I made some huge mistake hehe

any help would be appreciated ty

- D
- Duane Arnold
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Sat, Nov 19, 2005 6:53 PM

Most home users putting up a WEB server don't even consider it have you?

formatting link

I have Linux but I don't use a WEB server. I have MS and IIS on the network to and if I were going to expose a machine with a WEB server to the public Internet, there is more to it than config some packet filter behind some NAT router.

Duane :)

- R
- Robert
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Sat, Nov 19, 2005 7:46 PM

Well that is a good start. Since you are running a web server that is accessed from the outside I hope you have secured it too. The following setup should get you up and running, but you are going to have to figure out what you need open and how to open it.

# Load needed modules ##################### # Only uncomment if you need FTP from this server #modprobe ip_conntrack_ftp

# Clear all Tables ################## iptables -F iptables -X iptables -Z

#Set Default Policy ################### iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP

# Loopback setup ################ iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i lo -j ACCEPT

# Inbound connections ##################### iptables -A INPUT -m state --state ESTABLICHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -dport 80 -state --state NEW -j ACCEPT iptables -A INPUT -p tcp -dport 443 -state --state NEW -j ACCEPT iptables -A INPUT -p tcp -s 192.168.0.15/32 -dport 22 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp -s 192.168.0.16/32 -dport 22 -m state --state NEW -j ACCEPT iptables -A INPUT -j DROP

#Outbound connection #################### iptables -A OUTBOUND -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTBOUND -j DROP

Well since you only allow port 22 from the 2 local Pc's do you really think you need this? I think not.

Well the above should get you started.

- J
- joe10001
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Mon, Nov 21, 2005 9:39 AM

Ty very much for helping me and for advices to secure my webserver. Robert, I corrected the few syntax mistakes of your script and I tried it. I passed a lot of time to make it works but it still not. At first, when I run this script, I can't access my web server anymore via putty (SSH). Also, each time this rules arre applied my web site become down.

I will still working on it today, any help would be greatly appreciated

ty again all

- R
- Robert
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Tue, Nov 22, 2005 6:46 AM

You are welcome.

Sorry about that. Should learn to do one thing at a time.

OK start the firewall and run this on the WEB server;

iptables -L -v -n > myfirwall

Then post the contents of this file for me to look at.

I don't understand why the web server is down when these rules are applied.

Are these rules being applied to the web server or another system?

- J
- joe10001
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Wed, Nov 23, 2005 4:22 PM

ty you robert, I really appreciated your help !! ty again

I finally got it yeah :) your scipt helped me to understand

Here is the part, hope it could help someone else ###########################################################################= #### # R=E8gles de connexions ###########################################################################= ####

echo "+ R=E8gles de connexions"

# SSH iptables -t filter -A INPUT -p tcp --dport 22 -s $UNIVERSE -d $IP -j ACCEPT iptables -t filter -A OUTPUT -p tcp --sport 22 -s $IP -d $UNIVERSE -j ACCEPT

# HTTP iptables -t filter -A INPUT -p tcp --dport 80 -s $UNIVERSE -d $IP -j ACCEPT iptables -t filter -A OUTPUT -p tcp --sport 80 -s $IP -d $UNIVERSE -j ACCEPT

# HTTPS iptables -t filter -A INPUT -p tcp --dport 443 -s $UNIVERSE -d $IP -j ACCEPT iptables -t filter -A OUTPUT -p tcp --sport 443 -s $IP -d $UNIVERSE -j ACCEPT

# No-IP iptables -t filter -A INPUT -p tcp --dport 8245 -s $UNIVERSE -d $IP -j ACCEPT iptables -t filter -A OUTPUT -p tcp --sport 8245 -s $IP -d $UNIVERSE -j ACCEPT

# Autorise les connexions avec internet uniquement si elles sont initialis=E9es par # les process locaux iptables -t filter -A OUTPUT -s $IP -d $UNIVERSE -p all -m state

--state ! INVALID -j ACCEPT iptables -t filter -A INPUT -s $UNIVERSE -d $IP -p all -m state

--state RELATED,ESTABLISHED -j ACCEPT