[colug-432] IPTABLES

Rick Hornsby richardjhornsby at gmail.com
Mon May 11 12:46:45 EDT 2015


> On May 10, 2015, at 20:34, Steve VanSlyck <s.vanslyck at postpro.net> wrote:
> 
> I recently set up IPTBLES on my Digital Ocean Centos VPS. The rules I set up are below.
> 
> Problem is, after setting and saving these rules, if I then issued a flush command I would lose connectivity. Is this behaviour expected? Here is what I did (note these are my notes, not contact of a script file):
> 

Your default policy for the INPUT chain is DROP

> Chain INPUT (policy DROP)

When you have no other matching rules, the default policy applies.  When you have no rules at all (flushed), the only rule is the default policy.  That’s your most likely culprit.  IIRC, flush does not change the policy mode.

If you want a "deny all then allow by rule” approach, you may want your INPUT chain default policy set this way.  This is referred to as “paranoid” because a broken firewall (no rules) reverts to blocking everything.

Honestly though, you would probably be better off using an ACCEPT policy, and then using a final catch-all DROP rule.  This achieves the same effect, without the paranoia.


> 
> Flush all current rules:
>     iptables -F
> Drop TCP reconnisance packets (tcp null packets)
>     iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
> Reject syn flood attacks
>     iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
> Reject XMAS flood attacks
>     iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
> Accept traffing destined to localhost
>     iptables -A INPUT -i lo -j ACCEPT
> Open expected port for web (http) and secure web (https) traffic
>     iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
>     iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> Open a port for SSH traffic on port 22 [THIS PORT SHOULD BE CHANGED!!!!!!!!!!!!!!!!!!!!!!!]
>     iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> Open port 8000 for Ajenti
>     iptables -A INPUT -p tcp -m state --state NEW --dport 8000 -j ACCEPT 
>     iptables -A INPUT -p udp -m state --state NEW --dport 8000 -j ACCEPT
> Open ports 4505 and 4506 if the server is going to be a salt-master
>     iptables -A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT
>     iptables -A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT
> Accept incoming replies from established outgoing connections
>     iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> Allow outgoing traffic
>     iptables -P OUTPUT ACCEPT
> Drop all incoming traffing which doesn't match a designated rule
>     iptables -P INPUT DROP
> 
> Save the rules (This executes the iptables init script, which runs /sbin/iptables-save and writes the current iptables configuration to /etc/sysconfig/iptables .)
>     /sbin/service iptables save
> 
> ===================result=========================
> iptables -L -n
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00
> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW
> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8000
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:8000
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:4505
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:4506
> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00
> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW
> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8000
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:8000
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:4505
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:4506
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432




More information about the colug-432 mailing list