n this how-to we will show you how to secure your VPS using IPTables.
When you host a server on the internet, dedicated or a VPS, you need to
constantly be aware of security. Blocking unwanted access to services is
a good start and that is where IPTables comes in. IPTables is a host
based firewall that is highly powerful. You can do a lot more than just
permit access based on ports or source and desitination IP addresses.
you can do natting or throttling as well. We will save those last few
for a more advanced how-to.
The first thing we need to do obviously is install the packages.
Now to define a rule base. You need to stop here for a minute and think what services do you need to be reachable on this host? Is it a web server? Then ports 443 and 80 should suffice. But if you are running a mail server you may need port 25 as well. You also need to determin if you will respond to ping because ICMP needs to be tightened up. Then you need to think about established connections and internal loopback connections. You want all that to work as well. Then again you need to still be able to access your server so you will need port 22 for SSH.
We will use all these ports and protocols as an example. You can add or remove ports as needed for your setup.
Now you have a basic rulebase built but you still need to start the firewall. You also want to start IPTables on boot so you need to enable it.
Install IPTables Package
yum install iptablesNow to define a rule base. You need to stop here for a minute and think what services do you need to be reachable on this host? Is it a web server? Then ports 443 and 80 should suffice. But if you are running a mail server you may need port 25 as well. You also need to determin if you will respond to ping because ICMP needs to be tightened up. Then you need to think about established connections and internal loopback connections. You want all that to work as well. Then again you need to still be able to access your server so you will need port 22 for SSH.
We will use all these ports and protocols as an example. You can add or remove ports as needed for your setup.
Configure IPTables Rules
# Accept traffic from internal interfacesiptables -A INPUT ! -i eth0 -j ACCEPT# Accept traffic with the ACK flag set-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT# Allow incoming data that is part of a connection we establishediptables -A INPUT -m state --state ESTABLISHED -j ACCEPT# Allow data that is related to existing connectionsiptables -A INPUT -m state --state RELATED -j ACCEPT# Accept responses to DNS queriesiptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT# Accept responses to our pingsiptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT# Accept notifications of unreachable hostsiptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT# Accept notifications to reduce sending speediptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT# Accept notifications of lost packetsiptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT# Accept notifications of protocol problemsiptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT# Allow connections to our SSH serveriptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT# Respond to pingsiptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT# Allow connections to webserveriptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT# Allow SSL connections to webserveriptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT#Allow connections to SMTP server for mail deliveryiptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPTiptables saveNow you have a basic rulebase built but you still need to start the firewall. You also want to start IPTables on boot so you need to enable it.
Configure Services
/etc/init.d/iptables startchkconfig iptables onIf everything went well you should still be able to access your server
on the ports you have opened, yet any other services running, like VNC,
will be blocked. You can test this using open-source tools like Nmap.
Tutorial to Secure your VPS using IPTables
4/
5
Oleh
Admin