Someone to check my iptables File (Ubuntu 10.4)
In short: I want to be sure I got it right this time. If someone would be kind enough to take a look at them and correct any errors, I'd really appreciate it.
I use Ubuntu 10.4
> *filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Allows SSH connections
-A INPUT -p tcp -m state --state NEW --dport 6969 -j ACCEPT
Whitelist CloudFlare Service IP Ranges
-A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.240.0-204.93.240.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.177.0-204.93.177.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 199.27.128.0-199.27.135.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 173.245.48.0-173.245.63.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 103.22.200.0-103.22.203.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 141.101.64.0-141.101.127.255 -j ACCEPT
Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Reject all other inbound
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
COMMIT
5 Replies
> *filter
-A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Whitelist CloudFlare Service IP Ranges
-A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.240.0-204.93.240.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.177.0-204.93.177.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 199.27.128.0-199.27.135.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 173.245.48.0-173.245.63.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 103.22.200.0-103.22.203.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 141.101.64.0-141.101.127.255 -j ACCEPT
I don't see anything wrong per say, but if you check the counters for the rules, you'll find out the first rule will match before the CloudFlare rules.
–
Travis
Can you please explain to me what the counters are that you mean?
Did you mean that I should move the CloudFlare acceptances before the port 80 and port 443? Or did you mean that they should be moved before this line:
> # cloudflare here
the other rules
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
Sorry for being such a newbie
I'm no IPTABLES whiz, but I believe it's a first-match-wins type system. The first rule that matches for a given packet is used and halts evaluation of any further rules.
@Genjin:
Can you please explain to me what the counters are that you mean?
If you execute 'iptables -vnL' you will see the counters for each iptable rule. You'll be able to see how many packets/bytes are being match by your rules.
@Genjin:
Sorry for being such a newbie :)
Don't be, that is how we all learn, by asking questions.
Each packet is evaluated from top to bottom by your iptables rules. Thus the order of the rules are important. As Guspaz noted first rule match wins.
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
It is unnecessary to have the firewall evaluated all traffic hitting your linode for your cloudflare rules when the above rule will allow all http port 80 traffic to be accepted (first rule matched wins). Thus you should removed the cloudflare rules as they will not have any matches. If you want to reject/drop all http port 80 traffic except for traffic from cloudflare, then what you have won't accomplish that.
–
Travis
I hope it really is more or less secure. When I googled around on that topic I saw iptables that were at least 2-3 pages long - it's scary. That makes me respect trained security experts even more
So thank you two again for taking a look and helping me out, I am glad that the Linode Community is so friendly and helpful