Thursday, May 28, 2009

Secure VPS Day 2: IPTables

I got a problem. Unfortunately, IPTables are not included in the Ubuntu kernel on the vps I used. Activate it would take some time, so I decided to reinstall my vps and use Debian 4 image instead. The steps for day 1 are the same as in ubuntu, only that sudo package is not installed by default. Install it by running:

debian:~# apt-get sudo


Now, check the iptables configuration:

cath@debian:~$ sudo iptables -L

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
cath@debian:~$


Save old configuration (if any, usually the rules is still empty):

cath@debian:~$ sudo iptables-save > /etc/iptables.up.rules


Create new rules:

cath@debian:~$ sudo vim /etc/iptables.test.rules

*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp --dport 2987 -j ACCEPT

# Reject ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j REJECT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT


Use above rules in iptables:

cath@debian:~$ sudo iptables-restore < /etc/iptables.test.rules


Check it to see the differences:

cath@debian:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
REJECT 0 -- anywhere loopback/8 reject-with icmp-prt-unreachable
ACCEPT 0 -- anywhere anywhere state RELATED,ESTALISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:2987
REJECT icmp -- anywhere anywhere icmp echo-request eject-with icmp-port-unreachable
LOG 0 -- anywhere anywhere limit: avg 5/min brst 5 LOG level debug prefix `iptables denied: '
REJECT 0 -- anywhere anywhere reject-with icmp-prt-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT 0 -- anywhere anywhere reject-with icmp-prt-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
cath@debian:~$
cath@debian:~$
cath@debian:~$ cath@debian:~$ sudo vim /etc/iptables.test.rules
-su: cath@debian:~$: command not found
cath@debian:~$


Finally, test it:

Pinging ppa16.vpsfarm.com [209.9.227.210] with 32 bytes of data:
Reply from 209.9.227.210: Destination port unreachable.
Reply from 209.9.227.210: Destination port unreachable.
Reply from 209.9.227.210: Destination port unreachable.
Reply from 209.9.227.210: Destination port unreachable.

Ping statistics for 209.9.227.210:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),


There it is for day 2. I am searching again for other tips and tricks to secure our vps. Till then, good bye for now!

1 comment:

Luke said...

I'm trying to get my iptables set up and am getting stuck on one of the commands:
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

If I do:
$ iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

I get:
iptables: No chain/target/match by that name

Here is the output of my iptables -L -v
# iptables -L -v
Chain INPUT (policy ACCEPT 424 packets, 33794 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 REJECT all -- !lo any anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
559 42754 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:www
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:2579
0 0 ACCEPT icmp -- any any anywhere anywhere icmpecho-request
3 128 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 283 packets, 52338 bytes)
pkts bytes target prot opt in out source destination
332 52296 ACCEPT all -- any any anywhere anywhere

Would you happen to know how to fix this? I have search all over google and the forums, but haven't found anything yet.
Thanks,
~Luke