/ Server / Iptables Rules For Securing Webservers


Published:2015-06-12T13:23:24Z Edited:2017-06-22T13:23:24Z

Iptables and ip6tables used to build firewall on linux servers, in this article we''ll go over some rules that could help securing your webserver by restricting internet traffic to your server, if you''re looking for openbsd pf  then you may check openbsd pf rules for webservers.

 
 

Whats iptables?

Is a collection of tables which contains chains in which we define rules for incoming/outgoing traffic, each rule checked one by one within a certain chain till a match found and the action specified by the rule applied, so its first rule match win, iptables is for filtering ipv4 addresses while ip6tables is for ipv6 addresses.
 

iptables vs pf?

For brief comparison between openbsd pf and iptables,  please refer to the how pf differs from iptables?.

 

Careful not be blocked

iptables syntax can be complex and hard to read, however there are some frontend programs that making designing and applying your netfilter(iptables/ip6tables) easier. Generally if your  rules are a few/simple then you don''t need any frontend, and you need to learn iptables syntax anyway :P

 

NetFilter Rules

In order to filter internet traffic we need to have two sets of rules for each of the following:

  • ipv4 addresses, managed by commands iptables, iptables-restore.
  • ipv6 addresses, managed by commands ip6tables, ip6tables-restore.

We''ll assume that internal interfaces named lo and the external interface named eth0 for simplicity.

 

Iptables Rules 

We will save our ipv4 rules in  /etc/ip4tables.rules

  1. Add default policy to drop all traffic without any notice to the clients
    *filter
    :INPUT DROP
    :OUTPUT ACCEPT
    :FORWARD DROP
  2. Allow internal traffic within our server on lo interface
    -A INPUT -i lo -s 127.0.0.1/8 -d 127.0.0.1/8 -j ACCEPT
  3. Allow established and any connection related to already allowed connection to pass
    -A INPUT -i eth0 -m state --state established,related -j ACCEPT
  4. Drop Mal-Formed connections
    -A INPUT -f -j DROP
    -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
  5. Allow incoming mail to pass on port 25
    -A INPUT -i eth0 -p tcp -m tcp --dport 25
  6. Allow incoming web traffic to pass on ports 80,443
    -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 
  7. Allow SSH connection to pass on port 22
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 
  8. Finally, Log all other blocked traffic but lmit logging to 7 entries in a minute.
    -A INPUT -m limit --limit 7/min -j LOG --log-prefix "iptables dropped: " --log-level 7
  9. Log icmp traffic, for information only, you may like to allow it, but I don''t :)
    -A INPUT -p icmp -m limit --limit 7/min -j LOG --log-prefix "iptables dropped-icmp: " --log-level 7
  10. The whole file may look like the following:
    *filter
    :INPUT DROP
    :OUTPUT ACCEPT
    :FORWARD DROP
    
    
    -A INPUT -i lo -s localhost -d localhost -j ACCEPT
    
    -A INPUT -i eth0 -m state --state established,related -j ACCEPT
    
    -A INPUT -f -j DROP
    -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    
    
    -A INPUT -i eth0 -p tcp -m tcp --dport 25
    -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 
    
    
    -A INPUT -m limit --limit 7/min -j LOG --log-prefix "iptables dropped: " --log-level 7
    -A INPUT -p icmp -m limit --limit 7/min -j LOG --log-prefix "iptables dropped-icmp: " --log-level 7
Ok done with /etc/ip4tables.rules , so save and exit

 

 

Ip6tables Rules 

We will save our ipv4 rules in  /etc/ip6tables.rules

  1. Add default policy to drop all traffic without any notice to the clients
    *filter
    :INPUT DROP
    :OUTPUT ACCEPT
    :FORWARD DROP
  2. Allow internal traffic within our server on lo interface
    -A INPUT -i lo -s localhost -d localhost -j ACCEPT
  3. Allow established and any connection related to already allowed connection to pass
    -A INPUT -i eth0 -m state --state established,related -j ACCEPT
  4. Drop Mal-Formed connections
    -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
  5. Allow incoming mail to pass on port 25
    -A INPUT -i eth0 -p tcp -m tcp --dport 25
  6. Allow incoming web traffic to pass on ports 80,443
    -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 
  7. Allow SSH connection to pass on port 22
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 
  8. Finally, Log all other blocked traffic but lmit logging to 7 entries in a minute.
    -A INPUT -m limit --limit 7/min -j LOG --log-prefix "ip6tables dropped: " --log-level 7
  9. Log icmp traffic, for information only, you may like to allow it, but I don''t :)
    -A INPUT -p icmp -m limit --limit 7/min -j LOG --log-prefix "ip6tables dropped-icmp: " --log-level 7
  10. Th whole file may look like the following:
    *filter
    :INPUT DROP
    :OUTPUT ACCEPT
    :FORWARD DROP
    
    
    -A INPUT -i lo -s localhost -d localhost -j ACCEPT
    
    -A INPUT -i eth0 -m state --state established,related -j ACCEPT
    
    
    -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    
    
    -A INPUT -i eth0 -p tcp -m tcp --dport 25
    -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 
    
    
    -A INPUT -m limit --limit 7/min -j LOG --log-prefix "ip6tables dropped: " --log-level 7
    -A INPUT -p icmp -m limit --limit 7/min -j LOG --log-prefix "ip6tables dropped-icmp: " --log-level 7
Ok done with /etc/ip6tables.rules , so save and exit

 

Automatic Apply Rules

- To make our rules applied automatically whenever the network brought up, we create /etc/network/if-up.d/netfilter with following content:

#! /bin/sh -e

RULES4=/etc/ip4tables.rules
RULES6=/etc/ip6tables.rules

if [ -r $RULES4 ]; then
 iptables-restore < $RULES4 && echo "[SUCCESS] iptables reloaded"
fi


if [ -r $RULES6 ]; then
 ip6tables-restore < $RULES6 && echo "[SUCCESS] ip6tables reloaded"
fi

exit 0
- Make sure its executable
chmod a+rx /etc/network/if-up.d/netfilter

 

Thats it

you can now call /etc/network/if-up.d/netfilter to apply new rules, and whenever your network brought up rules will applied automatically.

Next
Jorgee the kidbot
Previous
Postgresql Stream Replication Setup
Tags