Linux Firewall with iptables

From JonDonym Wiki
(Difference between revisions)
Jump to: navigation, search
Line 2: Line 2:
 
<iimg>[[Linux Firewall with iptables]]![[Image:en.png]]</iimg><iimg>[[Linux Firewall mit iptables]]![[Image:de.png]]</iimg>Navigation: [[Main Page]] | [[Debian Setup for Mixes]] | Firewall with iptables
 
<iimg>[[Linux Firewall with iptables]]![[Image:en.png]]</iimg><iimg>[[Linux Firewall mit iptables]]![[Image:de.png]]</iimg>Navigation: [[Main Page]] | [[Debian Setup for Mixes]] | Firewall with iptables
 
== Firewall with iptables ==
 
== Firewall with iptables ==
It is recommended to use a restrictive firewall on your host system. Iptables is part of the Linux kernel. You may use a GUI tool for firewall setup or write a small script. We offer an example firewall script. You may copy & past the code snippes, copy the script to your server and make it executable.
+
It is recommended to use a restrictive firewall on your host system. Iptables is part of the Linux kernel. You may use a GUI tool for firewall setup or write a small script. We offer an example firewall script. You may copy & paste the code snippets. Copy the script to your server and make it executable.
  
 
Header of the script with default rules:
 
Header of the script with default rules:
Line 22: Line 22:
 
  $IPT -P FORWARD DROP
 
  $IPT -P FORWARD DROP
 
  $IPT -P OUTPUT ACCEPT
 
  $IPT -P OUTPUT ACCEPT
  # loopback freischalten
+
  # enable loopback  
 
  $IPT -A INPUT -i lo -j ACCEPT
 
  $IPT -A INPUT -i lo -j ACCEPT
 
  $IPT -A OUTPUT -o lo -j ACCEPT
 
  $IPT -A OUTPUT -o lo -j ACCEPT
Line 28: Line 28:
 
  $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</code>
 
  $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</code>
  
If your server was monitored by your ISP, you have to enable ping answers (mostly). But we recommed the using of the mix monitoring port and not setting the following rule. In this case your server will not be visible for simple network scans. It's your choise.
+
If your server is monitored by your ISP, you have to enable ping answers (mostly). But we recommend using the mix monitoring port and not setting the following rule. In this case your server will not be visible for simple network scans. It's your choice.
  
 
  <code># enable ICMP (not recommended)
 
  <code># enable ICMP (not recommended)
 
  $IPT -A INPUT -m state --state NEW -p icmp -j ACCEPT</code>
 
  $IPT -A INPUT -m state --state NEW -p icmp -j ACCEPT</code>
  
The following rules increase the security of your SSH port. After 3 wrong login tries the IP address will be blocked for 120sec. You may get the same security with ''fail2ban''.
+
The following rules increase the security of your SSH port. After 3 wrong login trials the IP address will be blocked for 120sec. You may get the same security with ''fail2ban''.
  
  <code># enable and secure SSH (please, adapt the dport!!!)
+
  <code># enable and secure SSH (please, adapt the port!!!)
 
  $IPT -A INPUT -i $IFACE -p tcp --dport 22022 -m state --state NEW -m recent --set --name SSH
 
  $IPT -A INPUT -i $IFACE -p tcp --dport 22022 -m state --state NEW -m recent --set --name SSH
 
  $IPT -A INPUT -i $IFACE -p tcp --dport 22022 -m state --state NEW -m recent --rcheck --seconds 120 --hitcount 4 --rttl --name SSH -j REJECT --reject-with tcp-reset
 
  $IPT -A INPUT -i $IFACE -p tcp --dport 22022 -m state --state NEW -m recent --rcheck --seconds 120 --hitcount 4 --rttl --name SSH -j REJECT --reject-with tcp-reset
 
  $IPT -A INPUT -i $IFACE -p tcp --dport 22022 -m state --state NEW -j ACCEPT</code>
 
  $IPT -A INPUT -i $IFACE -p tcp --dport 22022 -m state --state NEW -j ACCEPT</code>
  
Enable internet services for host system and all vservers:
+
Enable Internet services for the host system and all vservers:
  
 
  <code># enable mix server
 
  <code># enable mix server
Line 49: Line 49:
 
  $IPT -A INPUT -i $IFACE -p tcp --dport 8080 -j ACCEPT</code>
 
  $IPT -A INPUT -i $IFACE -p tcp --dport 8080 -j ACCEPT</code>
  
At least drop all other:
+
And, finally, drop all other:
  
 
  <code>$IPT -A INPUT -j DROP</code>
 
  <code>$IPT -A INPUT -j DROP</code>

Revision as of 15:08, 23 March 2010

File:En.png File:De.png Navigation: Main Page | Debian Setup for Mixes | Firewall with iptables

Firewall with iptables

It is recommended to use a restrictive firewall on your host system. Iptables is part of the Linux kernel. You may use a GUI tool for firewall setup or write a small script. We offer an example firewall script. You may copy & paste the code snippets. Copy the script to your server and make it executable.

Header of the script with default rules:

#!/bin/sh
IPT=/sbin/iptables
IFACE="eth0"
# clean up old settings
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -F
$IPT -X
# disable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
# set default policies
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# enable loopback 
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# allow established connections
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

If your server is monitored by your ISP, you have to enable ping answers (mostly). But we recommend using the mix monitoring port and not setting the following rule. In this case your server will not be visible for simple network scans. It's your choice.

# enable ICMP (not recommended)
$IPT -A INPUT -m state --state NEW -p icmp -j ACCEPT

The following rules increase the security of your SSH port. After 3 wrong login trials the IP address will be blocked for 120sec. You may get the same security with fail2ban.

# enable and secure SSH (please, adapt the port!!!)
$IPT -A INPUT -i $IFACE -p tcp --dport 22022 -m state --state NEW -m recent --set --name SSH
$IPT -A INPUT -i $IFACE -p tcp --dport 22022 -m state --state NEW -m recent --rcheck --seconds 120 --hitcount 4 --rttl --name SSH -j REJECT --reject-with tcp-reset
$IPT -A INPUT -i $IFACE -p tcp --dport 22022 -m state --state NEW -j ACCEPT

Enable Internet services for the host system and all vservers:

# enable mix server
$IPT -A INPUT -i $IFACE -p tcp --dport 443 -j ACCEPT
$IPT -A INPUT -i $IFACE -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $IFACE -p tcp --dport 6544 -j ACCEPT
# enable mix monitoring
$IPT -A INPUT -i $IFACE -p tcp --dport 8080 -j ACCEPT

And, finally, drop all other:

$IPT -A INPUT -j DROP
Personal tools