LINUX - MINIMAL IPTABLES EXAMPLE - MAKING SURE WE DONT LOSE ACCESS TO VPS VIA SSH

MINIMAL IPTABLES EXAMPLE - MAKING SURE WE DONT LOSE ACCESS TO VPS VIA SSH
##########################################################################

Sources:
http://major.io/2009/11/16/automatically-loading-iptables-on-debianubuntu/
http://wiki.centos.org/HowTos/Network/IPTables
https://help.ubuntu.com/community/IptablesHowTo
http://www.techrepublic.com/blog/10-things/10-iptables-rules-to-help-secure-your-linux-box/

VPS a virtual private server comes preconfigured with a linux box usually its all access so its important to secure it up, but at same time not lose your access - this is the minimal settings you should have.

INTRO
=====

Step 0: make sure your root because I dont like using sudo command, if you do then sudo before every command, or just "sudo -i" to get into root, another way is "su -" or just "su"

First: ifconfig to see your ip and all of your interfaces and note their names, to check tables "iptables -L", to see with counters "iptables -vL"

For example my internet interface is usually eth0, but in this case its venet0 - luckily in this simple config we will not use any interface names and just apply the rules to every interface however the loopback is the exception in this config (we allow everything to it)

First a system usually starts off with all access in out and about (through actually which we call forward) so we want to keep that as we are SSHed in to the system, if I block ssh or anything about it, then bam we lose access and then you have to get your VPS backup with "magic". So the trick is to enable ssh inbound while your connected, then you can start turning off the defaults (we actually dont turn off the default, we just circumvent it with a "catch-all" rule right before it, so the default rule never gets acted upon - what am I talking bout? well the default rule on a system is usually all in, but if I put a rule above that says noone is allowed in, then all in doesnt happen)

THE CONFIG - no loss to ssh
############################

iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
iptables -I INPUT 1 -i lo -j ACCEPT

Note that the ACCEPTS are still on they are just @ the very bottom of the list (since they are the default)

SIMPLER
#######

Most simplest rules (Without showing off edit line)

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP

SAVE RULES TO FILE
##################

JUST TO DUMP TO SCREEN:
iptables-save

EXAMPLE:

iptables-save
OUTPUT:

# Generated by iptables-save v1.4.14 on Wed Aug 28 11:53:54 2013
*nat
:PREROUTING ACCEPT [86:5510]
:POSTROUTING ACCEPT [255:16686]
:OUTPUT ACCEPT [255:16686]
COMMIT
# Completed on Wed Aug 28 11:53:54 2013
# Generated by iptables-save v1.4.14 on Wed Aug 28 11:53:54 2013
*mangle
:PREROUTING ACCEPT [328444:467708319]
:INPUT ACCEPT [328444:467708319]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [184620:29070873]
:POSTROUTING ACCEPT [184620:29070873]
COMMIT
# Completed on Wed Aug 28 11:53:54 2013
# Generated by iptables-save v1.4.14 on Wed Aug 28 11:53:54 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1129:168931]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Wed Aug 28 11:53:54 2013


iptables-save > /etc/iptables.rules

TO RESTORE RULES:
=================
iptables-restore < /etc/iptables.rules

Essentially we just want to run that at boot up.

COUNTERS OPTION:
===============
If use -c option, then all of the counters get saves. Remember can see counters with "iptables -vL"
iptables-save -c > /etc/iptables.rules
iptables-restore -c < /etc/iptables.rules

TO SEE HOW IT LOOKS LIKE (note this doesnt affect any file its all just output to screen - no saves to any file - as stated before iptables-save just dumps to stdout when used without redirects like the > character)

iptables-save -c

OUTPUT:

# Generated by iptables-save v1.4.14 on Wed Aug 28 12:29:03 2013
*nat
:PREROUTING ACCEPT [107:6554]
:POSTROUTING ACCEPT [255:16686]
:OUTPUT ACCEPT [255:16686]
COMMIT
# Completed on Wed Aug 28 12:29:03 2013
# Generated by iptables-save v1.4.14 on Wed Aug 28 12:29:03 2013
*mangle
:PREROUTING ACCEPT [331366:467920887]
:INPUT ACCEPT [331366:467920887]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [186183:29298635]
:POSTROUTING ACCEPT [186183:29298635]
COMMIT
# Completed on Wed Aug 28 12:29:03 2013
# Generated by iptables-save v1.4.14 on Wed Aug 28 12:29:03 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [828:98044]
[0:0] -A INPUT -i lo -j ACCEPT
[1597:115560] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[5:272] -A INPUT -j DROP
COMMIT
# Completed on Wed Aug 28 12:29:03 2013


BOOTING AND SHUTTING DOWN AND DEALING WITH CONFIG
##################################################

Since network in debian is started with /etc/network/interfaces we can edit that file with directives like this:

pre-up iptables-restore < /etc/iptables.rules
post-down iptables-save > /etc/iptables.rules

OR to save with counters:

pre-up iptables-restore -c < /etc/iptables.rules
post-down iptables-save -c > /etc/iptables.rules

BEST WAY - BOOTING AND SHUTTING DOWN AND DEALING WITH CONFIG
###################################################################

OR EVEN BETTER (which applies to all interfaces):

Just put scripts in "/etc/network/if-pre-up.d" and also "/etc/network/if-post-down.d", just make sure to make em executable.

AUTO START - need to restore with counters:
============================================

echo "iptables-restore -c < /etc/iptables.rules" > /etc/network/if-pre-up.d/my-iptables-restore.sh
chmod +x /etc/network/if-pre-up.d/my-iptables-restore.sh


AUTO TURN OFF - need to save with counters:
=============================================

echo "iptables-save -c > /etc/iptables.rules" > /etc/network/if-post-down.d/my-iptables-save.sh
chmod +x /etc/network/if-post-down.d/my-iptables-save.sh

CONFIRM THEY ARE CORRECT:
=========================

cd /etc/network
# find -iname "*ip*" -exec echo {} \; -exec cat {} \;

OUTPUT SHOULD BE:

./if-post-down.d/my-iptables-save.sh
iptables-save -c > /etc/iptables.rules
./if-pre-up.d/my-iptables-restore.sh
iptables-restore -c < /etc/iptables.rules

TESTING
========

HOW TO TEST IF WORKS - JUST REBOOT AND SEE IF THEY ACTIVATED ALSO CHECK IF THE DATES UPDATES IN THE CONFIG FILE

grep -i "generated by" /etc/iptables.rules

BEFORE REBOOT OUTPUT IS

# grep -i "generated by" /etc/iptables.rules
# Generated by iptables-save v1.4.14 on Wed Aug 28 12:07:08 2013
# Generated by iptables-save v1.4.14 on Wed Aug 28 12:07:08 2013
# Generated by iptables-save v1.4.14 on Wed Aug 28 12:07:08 2013

REBOOT

# shutdown -r now

AFTER REBOOT OUTPUT IS

If you want to log it, you can add the following lines to the bottom of each.

./if-post-down.d/my-iptables-save.sh
------------------------------------
iptables-save -c > /etc/iptables.rules
echo "Last save ::: `date`" >> /root/my-iptables.log

./if-pre-up.d/my-iptables-restore.sh
---------------------------------------
iptables-restore -c < /etc/iptables.rules
echo "Last Restore ::: `date`" >> /root/my-iptables.log

TROUBLESHOOTING NOT SAVING AND RESTORING
###########################################

--in my case the above didnt work because the /etc/network/if*d scripts were not running. Im sure I can make it so they run appropriately but I did it another way (less recommended way :/  - because Im about to change a default system file oh well this is linux this is what its all about)

If the above didnt work and its not running those scripts on reboots (you would know based on if the my-iptables.log file exists or has new enteries)

If the above didnt work You can put those commands in the start case and stop case of one of the scripts that you see start and stop with different runlevels (make sure you see a stop script in the rc0 and rc6 location, for halt and reboot respectively - so you can run it on reboots and shutdowns) For me the networking script /etc/init.d/networking was ran at rcS.d with an start case because of the S## prefix, and that script was stopped on halt/reboots becauase it had a K## prefix for rc0.d and rc6.d. rcS meaning those are all the start up scripts, and rc0 and rc6 meaning halt and reboot scripts respectively. For more info on that research runlevels for debian or whatever system you have - hopefully debian or a similar system that has /etc/init.d/

Just find the start case and add the 4 lines below that start and end with ###

...alot of code above...
start)
        ### MY CHANGE - iptables:
        iptables-restore -c < /etc/iptables.rules
        echo "Last Restore ::: `date`" >> /root/my-iptables.log
### END OF CHANGE
...rest of the code...
stop)
        ### MY CHANGE - iptables:
        iptables-save -c > /etc/iptables.rules
        echo "Last save ::: `date`" >> /root/my-iptables.log
### END OF CHANGE
..rest of the code...
Anyhow after that I initiated a reboot and it all worked

TO WATCH IPTABLES COUNTERS
#########################

watch --interval 0 'iptables -nvL | grep -v "0 0"'

OR

while true; do iptables -nvL > /tmp/now123; diff -U0 /tmp/prev123 /tmp/now123 > /tmp/diff; clear; cat /tmp/diff; mv -f /tmp/now123 /tmp/prev123; sleep 1; done


TO ALLOW EVERYONE
##################

-X deletes userdef chains, -F delets all rules back to normal INPUT FORWARD OUTBOUND ACCEPT, and the last lines are just to ensure those go to ACCEPTS (just incase)

echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
SelectionFile type iconFile nameDescriptionSizeRevisionTimeUser
Comments