Firewall for Debian 5/Drupal - recommendations?

I've just setup a new Linode running Debian 5/Drupal 6.x.

Is the Linode "Basic Firewall for Debian Lenny" a good one to use? Are linodes all wide open on the public IP? If so I've got to get something up asap.

Any recommendations would be awesome! I promise to post what I end up doing and any issues. THANKS.

http://library.linode.com/networking/se … bian-lenny">http://library.linode.com/networking/security-guides/arno-iptables-firewall-debian-lenny

18 Replies

@theatereleven:

Any recommendations would be awesome!
Shorewall

Cool thanks!

So are linodes really wide open on the public IP? Is there any NAT going on or anything?

There isn't even a screen door on the hatch of the ol' networking submarine, much less something as debilitating as NAT. That's what an Internet connection is… a connection to the Internet. :-)

@theatereleven:

So are linodes really wide open on the public IP? Is there any NAT going on or anything?
There's some port filtering at the Atlanta data center (done by the provider, not by Linode) and Linode does some filtering in the network layer (OSI 3) to stop wayward or malicious Linodes from seeing/sending traffic to/from IPs that they don't own.

Tried to setup Shorewall, but the documentation doesn't match up. There is supposed to an /etc/shorewall directory and I have none.

Removed shorewall by typing:

apt-get remove –purge shorewall-common

Then I rebooted and typed:

apt-get install shorewall-common shorewall-shell

And now /sbin/shorewall version -a says 4.0.15

BUT I then look for configuration files in /etc/shorewall, and there isn't even a shorewall directory. ARGH. so frustrating. Anyone else run into this on Debian?

shorewall should pull in shorewall-shell, which should pull in shorewall-common. That last one comes with, among other files,

/etc/shorewall/Makefile

/etc/shorewall/shorewall.conf

http://packages.debian.org/lenny/all/sh … n/filelist">http://packages.debian.org/lenny/all/shorewall-common/filelist

So, if it isn't the case for you, something's seriously screwed >.>

Just noticed that if I look in WinSCP I see a Shorewall folder under /etc but with Putty, it says that the directory does not exist.

A directory listing in Putty shows it, so I just tried going to the directory again and it is working. I must have been using the CD command like in DOS as opposed to Linux.

THANKS!

The docs say in Lenny to copy all of the files from user/share/doc/shorewall-common/default-config to my /etc/shorewall folder - am I reading this right?

Thanks again man.

Seems like an overkill for just one LAMP box.

What does Shorewall provide that IPTABLES doesn't?

IPTABLES and FAIL2BAN should be MORE then enough protection, and way less overhead to install/config/maintain/run.

Block everything.

Then allow PUBLIC access to your website (80, 443 if needed).

Then allow PUBLIC or LIMITED access to 25 (for your MTA)

Then allow PUBLIC or LIMITED access to whatever port you setup SSH on.

Simple and secure.

Too simple? Then add FAIL2BAN so that anyone that pounds on one of your services gets auto-dropped via a automagically added IPTABLES rule.

@theatereleven:

The docs say in Lenny to copy all of the files from user/share/doc/shorewall-common/default-config to my /etc/shorewall folder - am I reading this right?

Thanks again man.

I don't know if you're reading it right, I'm perfectly happy with Arno's firewall. ;) But I wouldn't be surprised if they were saying something in style of "The debian default is to (block|allow) everything. To get a config like when you install shorewall from source, copy the default-config files to /etc.". Just read them until they make sense…

And no problem… no problem

(Good luck!)

PS. vonskippy… I know you like to state your opinions aggressively… but please… cut it down a bit… I agree, partially - a big package like shorewall doesn't seem necessary. On the other hand, "raw" iptables is quite a bit of manual work, and if you're a newb like me and the OP, it's quite dangerous to mess with.

That's why I'd actually recommend going with arno's, which has been linked above. It's not much more than a nice SIMPLE debconf-configurable frontend to iptables, with really nice throttled logging.

@rsk:

That's why I'd actually recommend going with arno's, which has been linked above. It's not much more than a nice SIMPLE debconf-configurable frontend to iptables, with really nice throttled logging.

I use firehol for that same reason. It's a script that sets up iptables nicely for you.

What about csf firewall? Any comments on this?

@glg:

I use firehol for that same reason. It's a script that sets up iptables nicely for you.
I'll throw a second vote in for Firehol. I ended up choosing it when working with some distributions other than Ubuntu (where I had initially just started with ufw), and then started using it on Ubuntu too. I found it among the simplest to configure of the various iptables overlays.

I like that it's configuration is a single bash script, so easily commented, you can add logic if you need to, yet for the basics it's a really simple syntax.

– David

rsk and others - thanks for the feedback.

based on these comments I'm definitely ditching shorewall and probably will do a lighter setup. I do just need to block the morons on the NET and Fail2Ban sounds cool too.

I'll post details on what I do for any other newbies out there.

fail2ban and lighter setup don't mix. I dropped it due to its resource consumption.

what do you mean lighter? is Fail2Ban the resource hog? What are we talking with that?

````
% ps axfv | grep fa\il2ban-server
2774 ? Sl 47:07 629 1002 40317 3288 0.6 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock
% uptime
15:12:10 up 73 days, 8:58, 4 users, load average: 0.03, 0.03, 0.00

````

So… 3.2MB of RAM, and 47 minutes CPU time / 73 days… which sums down to about 40s of CPU time per day… ?

After everyone's helpful comments I decided there was no reason for me to add complexity to Debian with shorewall or any of the rest of them.

For you that are new to Linux or firewalls, here are the steps to get iptables functioning and blocking everything except HTTP, HTTPS and SSH:

1) Make sure iptables is installed - type at a command line (such as putty):

iptables -L

That will show you the current configuration. If this works it is installed.

2) Create a script to setup rules. At a command line again type in:

nano /etc/firewall.sh

(for newbies, nano is one of the text editors you can use in debian)

3) The above will open up a BLANK file as you are creating it brand new. Now type or paste in all of the below:

!/bin/sh

IPT="/sbin/iptables"

echo -n "Loading iptables rules…"

Flush old rules

iptables --flush

iptables --delete-chain

By default, drop everything except outgoing traffic

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

Allow incoming and outgoing for loopback interfaces

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

ICMP rules

iptables -A INPUT -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,R$

iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/s -m stat$

iptables -A INPUT -p icmp --icmp-type destination-unreachable -m state --state $

iptables -A INPUT -p icmp --icmp-type time-exceeded -m state --state NEW -j ACC$

iptables -A INPUT -p icmp --icmp-type timestamp-request -m state --state NEW -j$

iptables -A INPUT -p icmp --icmp-type timestamp-reply -m state --state ESTABLIS$

Block new connections without SYN

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Allow established connections:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

SSH

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

HTTP

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

Block fragments and Xmas tree as well as SYN,FIN and SYN,RST

iptables -A INPUT -p ip -f -j DROP

iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP

iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

Anti-spoofing rules

iptables -A INPUT -s 200.200.200.200 -j DROP

iptables -A INPUT -s 192.168.0.0/24 -j DROP

iptables -A INPUT -s 127.0.0.0/8 -j DROP

echo "rules loaded."

4) Now give root access to your new file. At the command line type:

chown root /etc/firewall.sh

chmod 700 /etc/firewall.sh

5) Add the new script to your startup. At a command line type in:

nano /etc/network/interfaces

Above the line for your network card (auto eth0) add this line:

pre-up /etc/firewall.sh

6) Reboot your Linode. At a command line stop mysql and then reboot:

/etc/init.d/mysql stop

reboot

7) Type in iptables -L and you should see your new rules! It's that simple….although hunting around online sure doesn't make it seem that way. I got much of this info from http://www.debiantutorials.com/loading- … n-startup/">http://www.debiantutorials.com/loading-iptables-rules-on-startup/.

8) Additional note: for those of you that want to change the port for SSH, you can't just change the line above that references it, you have to tell the SSH server in Debian to listen on a different port as well. This almost burned me. Just type in:

nano /etc/ssh/sshd_config

And you'll see a line to change the port number it listens on. Then you can change the firewall rule and then your clien's port number and it will work fine.

Another (preferred) way is to use iptables-save and iptables-restore.

pre-up iptables-restore /etc/firewall.rules

Then, seed it by running iptables-save once.

Once you have this set up, any rules you manipulate in memory will be saved and restored when the interface changes state or you reboot.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct