Firewall for Debian 5/Drupal - recommendations?
Is the Linode "Basic Firewall for Debian Lenny" a good one to use? Are linodes all wide open on the public IP? If so I've got to get something up asap.
Any recommendations would be awesome! I promise to post what I end up doing and any issues. THANKS.
18 Replies
So are linodes really wide open on the public IP? Is there any NAT going on or anything?
@theatereleven:
So are linodes really wide open on the public IP? Is there any NAT going on or anything?
There's someat the Atlanta data center (done by the provider, not by Linode) and Linode does some filtering in the network layer (OSI 3) to stop wayward or malicious Linodes from seeing/sending traffic to/from IPs that they don't own. port filtering
Removed shorewall by typing:
apt-get remove –purge shorewall-common
Then I rebooted and typed:
apt-get install shorewall-common shorewall-shell
And now /sbin/shorewall version -a says 4.0.15
BUT I then look for configuration files in /etc/shorewall, and there isn't even a shorewall directory. ARGH. so frustrating. Anyone else run into this on Debian?
/etc/shorewall/Makefile
/etc/shorewall/shorewall.conf
So, if it isn't the case for you, something's seriously screwed >.>
A directory listing in Putty shows it, so I just tried going to the directory again and it is working. I must have been using the CD command like in DOS as opposed to Linux.
THANKS!
The docs say in Lenny to copy all of the files from user/share/doc/shorewall-common/default-config to my /etc/shorewall folder - am I reading this right?
Thanks again man.
What does Shorewall provide that IPTABLES doesn't?
IPTABLES and FAIL2BAN should be MORE then enough protection, and way less overhead to install/config/maintain/run.
Block everything.
Then allow PUBLIC access to your website (80, 443 if needed).
Then allow PUBLIC or LIMITED access to 25 (for your MTA)
Then allow PUBLIC or LIMITED access to whatever port you setup SSH on.
Simple and secure.
Too simple? Then add FAIL2BAN so that anyone that pounds on one of your services gets auto-dropped via a automagically added IPTABLES rule.
@theatereleven:
The docs say in Lenny to copy all of the files from user/share/doc/shorewall-common/default-config to my /etc/shorewall folder - am I reading this right?
Thanks again man.
I don't know if you're reading it right, I'm perfectly happy with Arno's firewall.
And no problem… no problem
(Good luck!)
PS. vonskippy… I know you like to state your opinions aggressively… but please… cut it down a bit… I agree, partially - a big package like shorewall doesn't seem necessary. On the other hand, "raw" iptables is quite a bit of manual work, and if you're a newb like me and the OP, it's quite dangerous to mess with.
That's why I'd actually recommend going with arno's, which has been linked above. It's not much more than a nice SIMPLE debconf-configurable frontend to iptables, with really nice throttled logging.
@rsk:
That's why I'd actually recommend going with arno's, which has been linked above. It's not much more than a nice SIMPLE debconf-configurable frontend to iptables, with really nice throttled logging.
I use firehol for that same reason. It's a script that sets up iptables nicely for you.
@glg:
I use firehol for that same reason. It's a script that sets up iptables nicely for you.
I'll throw a second vote in for Firehol. I ended up choosing it when working with some distributions other than Ubuntu (where I had initially just started with ufw), and then started using it on Ubuntu too. I found it among the simplest to configure of the various iptables overlays.
I like that it's configuration is a single bash script, so easily commented, you can add logic if you need to, yet for the basics it's a really simple syntax.
– David
based on these comments I'm definitely ditching shorewall and probably will do a lighter setup. I do just need to block the morons on the NET and Fail2Ban sounds cool too.
I'll post details on what I do for any other newbies out there.
% ps axfv | grep fa\il2ban-server
2774 ? Sl 47:07 629 1002 40317 3288 0.6 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock
% uptime
15:12:10 up 73 days, 8:58, 4 users, load average: 0.03, 0.03, 0.00
````
So… 3.2MB of RAM, and 47 minutes CPU time / 73 days… which sums down to about 40s of CPU time per day… ?
For you that are new to Linux or firewalls, here are the steps to get iptables functioning and blocking everything except HTTP, HTTPS and SSH:
1) Make sure iptables is installed - type at a command line (such as putty):
iptables -L
That will show you the current configuration. If this works it is installed.
2) Create a script to setup rules. At a command line again type in:
nano /etc/firewall.sh
(for newbies, nano is one of the text editors you can use in debian)
3) The above will open up a BLANK file as you are creating it brand new. Now type or paste in all of the below:
!/bin/sh
IPT="/sbin/iptables"
echo -n "Loading iptables rules…"
Flush old rules
iptables --flush
iptables --delete-chain
By default, drop everything except outgoing traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
Allow incoming and outgoing for loopback interfaces
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
ICMP rules
iptables -A INPUT -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,R$
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/s -m stat$
iptables -A INPUT -p icmp --icmp-type destination-unreachable -m state --state $
iptables -A INPUT -p icmp --icmp-type time-exceeded -m state --state NEW -j ACC$
iptables -A INPUT -p icmp --icmp-type timestamp-request -m state --state NEW -j$
iptables -A INPUT -p icmp --icmp-type timestamp-reply -m state --state ESTABLIS$
Block new connections without SYN
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Allow established connections:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
HTTP
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
Block fragments and Xmas tree as well as SYN,FIN and SYN,RST
iptables -A INPUT -p ip -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
Anti-spoofing rules
iptables -A INPUT -s 200.200.200.200 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
echo "rules loaded."
4) Now give root access to your new file. At the command line type:
chown root /etc/firewall.sh
chmod 700 /etc/firewall.sh
5) Add the new script to your startup. At a command line type in:
nano /etc/network/interfaces
Above the line for your network card (auto eth0) add this line:
pre-up /etc/firewall.sh
6) Reboot your Linode. At a command line stop mysql and then reboot:
/etc/init.d/mysql stop
reboot
7) Type in iptables -L and you should see your new rules! It's that simple….although hunting around online sure doesn't make it seem that way. I got much of this info from
nano /etc/ssh/sshd_config
And you'll see a line to change the port number it listens on. Then you can change the firewall rule and then your clien's port number and it will work fine.
iptables-save and iptables-restore
pre-up iptables-restore /etc/firewall.rules
Then, seed it by running iptables-save once.
Once you have this set up, any rules you manipulate in memory will be saved and restored when the interface changes state or you reboot.