IPtables rules

Support for security such as Firewalls and securing linux
Post Reply
sferreira
Posts: 75
Joined: 2016/04/26 16:06:06

IPtables rules

Post by sferreira » 2019/02/01 10:53:39

Hey,

I've been doing some tests with iptables but I'm having some troubles.
My test server is a remote server so if I mess up an iptable rule since I don't have the physical server next to me, with an error on a ssh connection I lose everything, complete lock out and I have to reset the server and redo all over again and make new tests not knowing very well what caused the problem (I lose all the logs).

My goal with the iptables is to allow:
- ssh port 22
- ftp port 21
- MySQL port 3307 (only to 2 specific IP, a public one and a private one, for example my public IP is 10.10.10.10 and the private 192.168.0.5)
- http and https port 80 and port 443
- smtp port 25 and 465

Will this rules work and not lock me out?
--
#IPTABLES Rules

#Allow Localhost trafic
sudo iptables -A INPUT -i lo -j ACCEPT

#Allow established outgoing connections to receive incoming replies
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Allow http e https
sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

#Allow SMTP connections
sudo iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

#Allow SSH
sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

#Allow FTP
sudo iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

#MySQL rules
sudo iptables -A INPUT -i eth0 -p tcp -d 10.10.10.10 --dport 3307 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp -d 192.168.0.5 --dport 3307 -m state --state NEW,ESTABLISHED -j ACCEPT

#Reject all others
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P INPUT DROP

--

Thank you very much for the help

tunk
Posts: 1205
Joined: 2017/02/22 15:08:17

Re: IPtables rules

Post by tunk » 2019/02/01 12:51:29

I assume you have installed iptables and disabled firewalld?
Usually I put the rules in /etc/sysconfig/iptables, e.g.:
-A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
You don't say anything about ipv6, have you disabled or blocked it?
Also, FTP isn't a secure protocol, you may want to use something SSH-based instead, e.g. scp.
For MySQL you may want to add source IPs as well.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: IPtables rules

Post by TrevorH » 2019/02/01 14:06:50

The usual trick of manipulating firewall rules remotely is to add a crontab entry that reboots the machine in say 10 minutes time. Do your rule changes and if they lock you out then the cron entry kicks in and reboots the box and reverts to the saved rules. If they work then you save them and remove the crontab entry.

However... on CentOS 7, iptables is not the default firewall unless you make it so. By default you get firewalld not iptables. You can read the rules that firewalld is using by running iptables-save but you should not alter them using the iptables command as firewalld monitors the rules and will remove anything you add and add back anything you remove. If using firewalld then you need to use the firewall-cmd command to manipulate the rules, not iptables.

You can remove firewalld and install iptables-services instead and then you can use the iptables command to alter the rules.

If you are using iptables and not firewalld then your rules seem ok. A couple of comments on them: all the ones for specific ports should all have -m state --state NEW on them. For your mysql rules you have that already but you should remove the ,ESTABLISHED bit from those two as you already have a rule to allow all ESTABLISHED connections up the top.

If you are allowing port 21 for ftp then you should also load the nf_conntrack_ftp kernel module. Ftp is a strange protocol and uses random ports that are decided at run time so it is not possible to code iptables rules to allow all of them (except by pretty much turning the firewall off). The way around that is to load nf_conntrack_ftp which then inspects the ftp packets as they pass through and extracts the right ports out of those and allows access on the fly. Firewalld automatically loads nf_conntrack_ftp if you tell it to --add-service=ftp.

If you are using iptables-services then once your rules are correct, use service iptables save to save the running rules to /etc/sysconfig/iptables and they will be loaded automatically at boot time.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

sferreira
Posts: 75
Joined: 2016/04/26 16:06:06

Re: IPtables rules

Post by sferreira » 2019/02/12 10:32:37

TrevorH wrote:
2019/02/01 14:06:50
The usual trick of manipulating firewall rules remotely is to add a crontab entry that reboots the machine in say 10 minutes time. Do your rule changes and if they lock you out then the cron entry kicks in and reboots the box and reverts to the saved rules. If they work then you save them and remove the crontab entry.

However... on CentOS 7, iptables is not the default firewall unless you make it so. By default you get firewalld not iptables. You can read the rules that firewalld is using by running iptables-save but you should not alter them using the iptables command as firewalld monitors the rules and will remove anything you add and add back anything you remove. If using firewalld then you need to use the firewall-cmd command to manipulate the rules, not iptables.

You can remove firewalld and install iptables-services instead and then you can use the iptables command to alter the rules.

If you are using iptables and not firewalld then your rules seem ok. A couple of comments on them: all the ones for specific ports should all have -m state --state NEW on them. For your mysql rules you have that already but you should remove the ,ESTABLISHED bit from those two as you already have a rule to allow all ESTABLISHED connections up the top.

If you are allowing port 21 for ftp then you should also load the nf_conntrack_ftp kernel module. Ftp is a strange protocol and uses random ports that are decided at run time so it is not possible to code iptables rules to allow all of them (except by pretty much turning the firewall off). The way around that is to load nf_conntrack_ftp which then inspects the ftp packets as they pass through and extracts the right ports out of those and allows access on the fly. Firewalld automatically loads nf_conntrack_ftp if you tell it to --add-service=ftp.

If you are using iptables-services then once your rules are correct, use service iptables save to save the running rules to /etc/sysconfig/iptables and they will be loaded automatically at boot time.
Thank you so much for the help, so far they are working fine :) and jeez why didn't I remember that earlier? Set a crontask to reboot iptables from x to x time untill the rules are working fine? duh, dumb me.

Yes, I removed firewalld from the default firewall, I unmask it and removed it, I only have IPtables working.

I have one question tough, on my rules I've added like you said the "-m state --state NEW", the rules are working fine, but on the http/https, none of my test sites were working until I added the -I option

Rule that I was putting with no sucess on http:

Code: Select all

 iptables -A INPUT -p tcp --dport 80 -j ACCEPT				
Rule that made the sites working:

Code: Select all

sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT


Why is that? Do I need to put the -I on all rules also? like ssh, and such?

Thank you very much for the help yet again.

Ps: I know, I hate having the 21 port open, but for the final server I'm making this tests I unfortunately don't have the power to tell more than 1000 clients that always have used the 21 port to import files that the File transfer port will change (I know, it's stupid, it was only one little config change that they had to make, but I just can't do it).

sferreira
Posts: 75
Joined: 2016/04/26 16:06:06

Re: IPtables rules

Post by sferreira » 2019/02/12 10:42:41

tunk wrote:
2019/02/01 12:51:29
I assume you have installed iptables and disabled firewalld?
Usually I put the rules in /etc/sysconfig/iptables, e.g.:
-A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
You don't say anything about ipv6, have you disabled or blocked it?
Also, FTP isn't a secure protocol, you may want to use something SSH-based instead, e.g. scp.
For MySQL you may want to add source IPs as well.
Thank you Tunk for the help :)
Yes, I removed Firewalld and installed IPtables.

Hum regarding ipv6 changes I haven't made any changes yet, I would say that they are with the default rules? (correct me if I am wrong) for example, If I execute the comand

Code: Select all

sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT
save iptables and reload the rules are they also being set to ipv6?

As for MySQL, I only have a public IPaddress, but I'm having problems with this one, if I only allow my public address will I have problems with the server websites that need to access MySQL DBs?
Should I restrict to my publicIPaddress (for access) and my private one (for dumps)?

Thank you, and sorry for the maybe dumb questions

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: IPtables rules

Post by TrevorH » 2019/02/12 11:23:26

Rules for ipv6 are manipulated using ip6tables{-save} etc
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

sferreira
Posts: 75
Joined: 2016/04/26 16:06:06

Re: IPtables rules

Post by sferreira » 2019/02/12 13:20:25

I see, thank you.
Regarding the -I or -A option, I'm having trouble separating one from another on building the rules, if one is append and the other is Insert, why did the port 80 not work with the -A? It only started to work when I executed the same rule but with -I instead :/

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: IPtables rules

Post by TrevorH » 2019/02/12 13:26:19

The last rule in the default set is one that rejects all traffic. No more rules are looked at after that so if you append a new one after it, it's never looked at.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

tyler2016
Posts: 13
Joined: 2019/02/07 16:06:54
Contact:

Re: IPtables rules

Post by tyler2016 » 2019/02/22 19:06:04

TrevorH wrote:
2019/02/01 14:06:50
The usual trick of manipulating firewall rules remotely is to add a crontab entry that reboots the machine in say 10 minutes time. Do your rule changes and if they lock you out then the cron entry kicks in and reboots the box and reverts to the saved rules. If they work then you save them and remove the crontab entry.

However... on CentOS 7, iptables is not the default firewall unless you make it so. By default you get firewalld not iptables. You can read the rules that firewalld is using by running iptables-save but you should not alter them using the iptables command as firewalld monitors the rules and will remove anything you add and add back anything you remove. If using firewalld then you need to use the firewall-cmd command to manipulate the rules, not iptables.

You can remove firewalld and install iptables-services instead and then you can use the iptables command to alter the rules.

If you are using iptables and not firewalld then your rules seem ok. A couple of comments on them: all the ones for specific ports should all have -m state --state NEW on them. For your mysql rules you have that already but you should remove the ,ESTABLISHED bit from those two as you already have a rule to allow all ESTABLISHED connections up the top.

If you are allowing port 21 for ftp then you should also load the nf_conntrack_ftp kernel module. Ftp is a strange protocol and uses random ports that are decided at run time so it is not possible to code iptables rules to allow all of them (except by pretty much turning the firewall off). The way around that is to load nf_conntrack_ftp which then inspects the ftp packets as they pass through and extracts the right ports out of those and allows access on the fly. Firewalld automatically loads nf_conntrack_ftp if you tell it to --add-service=ftp.

If you are using iptables-services then once your rules are correct, use service iptables save to save the running rules to /etc/sysconfig/iptables and they will be loaded automatically at boot time.
In my opinion, FTP and FTPS should be avoided. Depending on the situation, HTTPS or SFTP will do the job, be easier to manage, and probably more secure. Sometimes when working with other organizations you have no choice, but if you have any control over it, do yourself a favor and avoid FTP.

Post Reply