My basic management concept for iptables (easy to maintain when you're the owner and administrator of a server). I don't like native iptables management way, so with little help from Google I've recently figured out an alternative way to handle rules loading and applying. Here's how it's done.
First, create (as a su) iptables file which will contain all our rules. File must be executable:
# Rules from this file will be applied on system boot touch /etc/iptables.rules chmod +x /etc/iptables.rules
Stuff from the file above will be loaded on system boot. To tell the OS, that he needs to load them, lets use /etc/network/interfaces file. Edit it and paste:
# vim /etc/network/interfaces # Load our rules automatically pre-up iptables-restore < /etc/iptables.rules
Now still as a su, create in your home dir file called iptables.rules. Yup - with the same name (but different directory!) as a first one:
touch /home/mylogin//iptables.rules chmod +x /home/mylogin//iptables.rules
Now let's put our rules into /home/mylogin/iptables.rules:
# vim ~/iptables.rules # Reset all (block all) and start from zero # Warning! If you apply only those 3, you're screwed! So watch out! iptables -F INPUT iptables -F FORWARD iptables -F OUTPUT # Reject incoming traffic iptables -P INPUT DROP # Reject forwarded traffic iptables -P FORWARD DROP # Accept loopback traffic iptables -A INPUT -i lo -j ACCEPT iptables -A FORWARD -o lo -j ACCEPT # Accept all connections started by us # (this can be dangerous if you install shitty stuff on your server) iptables -P OUTPUT ACCEPT # Accept data related to our requests iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED # http port can be setup with limits or without - here's the example with: # (not used right now so commented out - 2 lines, should be in 2): # iptables -A INPUT -p tcp --dport 80 -m state --state NEW # -m limit --limit 50/minute --limit-burst 5 -j ACCEPT # Open ports related to our services (http, https, ssh, etc) iptables -A INPUT -p tcp --dport 10000 -j ACCEPT # Example: webmin port iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Example: ssh port iptables -A INPUT -p tcp --dport 80 -j ACCEPT # Example: http port # After executing and checking, to save rules, perform (as su) command: # iptables-save > /etc/iptables.rules
In order to check your settings. you can use nmap, a simple (yet powerful) port scanner:
sudo apt-get install nmap nmap IP/domain Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-04 15:17 CET Nmap scan report for domain (IP) Host is up (0.032s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 8.89 seconds
If everything is ok, save your rules permanently (execute as su):
iptables-save > /etc/iptables.rules
March 21, 2012 — 16:25
You could make things easier by installing iptables-persistent package: http://www.microhowto.info/howto/make_the_configuration_of_iptables_persistent_on_debian.html
April 27, 2013 — 08:14
With havin so much content and articles do you ever run into any issues of plagorism or copyright infringement?
My blog has a lot of completely unique content I’ve either authored myself or outsourced but it seems a lot of it is popping it up all over the web without my permission. Do you know any ways to help stop content from being ripped off? I’d really appreciate it.
April 28, 2013 — 10:07
Well I had issues of plagorism and indeed I know how to handle such issues – I don’t care :) Since I do a lot of open-source, I’ve got used to being reposted.
August 3, 2013 — 18:35
Hi Maciej,
I was just following your example above and was just curious to a rule you have in there…is there a reason you allow www(80) traffic and then in the next section drop the exact same traffic?
I’m thinking I could cut out lines 36 and 37 completely from the script and it should behave exactly the same…or I could be completely missing something.
Thanks for the article, it’s helped quite a bit already!
August 5, 2013 — 11:17
That’s a good one ;) Probably I’ve just copy-pasted something that I use and instead of removing rule I’ve just added a drop one. Thank you.
March 12, 2014 — 11:34
I use webmin to manage firewall.
June 11, 2016 — 22:56
you can also try a SAAS solution for managing iptables -> https://www.efw.io/Forum it can do AWS cloud integration if needed.