iptables question

My Linode was recently hacked into. I'd like to lock down all my unused ports and then only open access to those I need.

In the firewall guides there is a description of how to do this. If I understand the iptables commands they first drop everything, then open those that are needed. I want to type these command manually to check them out first. My question is if I'm on an ssh session and I drop everything, how can I continue to implement the rest of my table?

Thanks in advance for your help.

bob

6 Replies

Use Lish to connect to your Linode's console instead of using SSH to connect to your Linode.

IPTABLES rules are processed top down.

If your first rule is DROP EVERYTHING - that's the ONLY rule that will ever be applied.

I was planning to use a variation of the commands listed in the iptables Linode document as below:

====== begin snip from iptables Linode document ====

Block All Traffic and Allow Traffic on Specific Ports Link

One common approach to firewall architecture involves blocking all traffic to the system by default and then allowing traffic on specific ports. Consider the following sequence of commands:

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -A INPUT -p tcp -m multiport –destination-ports 22,25,53,80,433,465,5222,5269,5280,8999:9003 -j ACCEPT

iptables -A INPUT -p udp -m multiport --destination-ports 53 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

====== end quote =======

If I'm manually entering these on a terminal session do I need to enter them in reverse order?

Thanks again for your help.

bob

@icanbob:

If I'm manually entering these on a terminal session do I need to enter them in reverse order?
No, that would probably not give you the results you're looking for.

Best to just type in the script, and run it all at once.

Better yet - google around for a few iptables tutorials and use those to parse what the scripts you're looking at actually does - that way instead of blinding following something that is suppose to secure your box, you'll actually know what it's doing.

Like most sysadmin stuff - the basics of iptables is not all that hard to grasp - it just takes a bit of reading (and of course it won't hurt to setup a local VM and play around with it in a sandbox safe environment).

What distro are you using? If Ubuntu, I'd suggest looking into ufw.

Then you would just create a rule to allow ssh before enabling ufw.

@icanbob:

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -A INPUT -p tcp -m multiport –destination-ports 22,25,53,80,433,465,5222,5269,5280,8999:9003 -j ACCEPT

iptables -A INPUT -p udp -m multiport --destination-ports 53 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Bob, based on the above, the rule for OUTPUT is not necessary, unless you omitted setting the policy for OUTPUT to DROP. I would suggest adding a rule to allow traffic on the local interface.

Travis

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct