Configuring IPtables on ubuntu server

Configuring Ubuntu, F.A.Q.'s, How To's, Open Source, P.C. Linux, Security, Ubuntu Server

Whenever you setup any internet facing server firewalling is very important. so you can have a more secure installation. To start with, we’re going to have three ports open: ssh, http and https.

We’re going to create two files, /etc/iptables.test.rules and /etc/iptables.up.rules. The first is a temporary (test) set of rules and the second the ‘permanent’ set of rules (this is the one iptables will use when starting up after a reboot for example).

Note: that we are logged in as the root user. This is the only time we will log in as the root user. As such, if you are completing this step at a later date using the admin user, you will need to run “sudo su” to login as root.

Now let’s see what’s running at the moment:

iptables -L

You will see something similar to this:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

As you can see, we are accepting anything from anyone on any port and allowing anything to happen.

One theory is that if there are no services running then it doesn’t matter. I disagree. If connections to unused (and popular) ports are blocked or dropped, then the vast majority of script kiddies will move on to another machine where ports are accepting connections. It takes two minutes to set up a firewall – is it really worth not doing?

Let’s assume you’ve decided that you want a firewall. Create the file /etc/iptables.test.rules and add some rules to it; if you or another admin user for this slice has worked through these or similar steps previously, this file may not be empty:

nano /etc/iptables.test.rules

Look at this example iptables configuration file.

The rules are very simple and it is not designed to give you the ultimate firewall. It is a simple beginning.

Hopefully you will begin to see the pattern of the configuration file. It isn’t complicated and is very flexible. You can change and add ports as you see fit. Don’t forget to change the port number ’30000′ to whatever you specified in your sshd_config.

Good. Defined your rules? Then lets apply those rules to our server:

iptables-restore < /etc/iptables.test.rules

Let’s see if there is any difference:

iptables -L

Notice the change? (If there is no change in the output, you did something wrong. Try again from the start).

Have a look at the rules and see exactly what is being accepted, rejected and dropped. Once you are happy with the rules, it’s time to save our rules permanently:

iptables-save > /etc/iptables.up.rules

Now we need to ensure that the iptables rules are applied when we reboot the server. At the moment, the changes will be lost and it will go back to allowing everything from everywhere.

Open the file /etc/network/interfaces

nano /etc/network/interfaces

Add a single line (shown below) just after ‘iface lo inet loopback’:

...
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.up.rules
 
# The primary network interface
...

As you can see, this line will restore the iptables rules from the /etc/iptables.up.rules file. Simple but effective firewall.

No Comments

Leave a Reply

You must be logged in to post a comment.