firewall setup
I am trying to install CentOS and understand that the tutorials were written primarily for Debian/Ubuntu. I've tried my best to find the equivalent instructions on the interwebs for this step but have not been successful. Anyway, the problem I'm having is in Step 12 of "Securing Your Server". When I try to create a script so that firewall rules start up automatically each time using this command:
sudo nano /etc/network/if-pre-up.d/firewall
nano does fire up, but then I can't save the file. There also doesn't appear to be that path under /etc. I read elsewhere that doing this isn't necessary under CentOS, but when I restart the node, alas, my firewall rules disappear, so evidently I do need this or something like it.
Should I just create the path and save the file? If anyone has any suggestions I'd very much appreciate it.
7 Replies
You don't need a script - it's all handled by CentOS and IPTABLES.
I do appreciate the link which looks like exactly what I need - thanks very much! That being said, I'm beginning to wonder if it's worth while to go down this road (as compared to easy peasy shared hosting…).
If you're a sysadmin or developer (or a wanna be sysadmin or developer) then a VPS offers many options.
If you just need a place to plop your website, and don't need the low level control of doing it "all" yourself, then shared hosting is a good option.
Time is always short, so focus on what's important.
On another note (and this isn't necessarily directed only to you vonskippy) I tried to implement the link that was referenced above. I didn't have a default iptables - looked like it was blank, so I just created one based on the info on that page, with the changes it suggested (excluding a few toward the end - specifically: (1) only allow SSH traffic from 192.168.1.0/24; (2)Enable Printing Access For 192.168.1.0/24; and (3) Allow Legitimate NTP Clients to Access the Server. So the file ends up looking like this:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
-A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST "
-A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK "
-A INPUT -i eth0 -s 169.254.0.0/16 -j LOG --log-prefix "IP DROP MULTICAST "
-A INPUT -i eth0 -s 0.0.0.0/8 -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s 240.0.0.0/4 -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s 255.255.255.255/32 -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s 168.254.0.0/16 -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s 248.0.0.0/5 -j LOG --log-prefix "IP DROP "
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
COMMIT
But when I try restarting the firewall with this:
sudo service iptables restart
I get this:
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: security raw nat[FAILED]filter
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: iptables-restore: line 35 failed
[FAILED]
The OKs are in green and the FAILEDs are in red.
And perhaps stating the obvious, but then when I run
sudo iptables -vnL --line-numbers
I get a blank set of rules - namely this:
Chain INPUT (policy ACCEPT 164 packets, 12424 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 178 packets, 41344 bytes)
num pkts bytes target prot opt in out source destination
Ugh. Any suggestions or advice would be most appreciated.
@dma0:
Hey thanks vonskippy. It's primarily for my crappy little blog. I currently use shared hosting but haven't been happy with performance, so I'm looking into some alternatives. That being said, I am to some extent a wannabe - oddly enough despite the headaches I like looking under the hood a bit. Just not sure if it might just be too much. Will give it some further thought. I can sympathize with the decision to go from shared to VPS, dma0. I mostly had some static content/PHP form sites, and was starting to dabble more with MediaWiki. Ultimately, the ability to have a finer control over lower level configuration options for the performance of the wiki appealed to me, as well as the greater performance. But I have to say that it's definitely been more work to learn & administrate my own server, and there's always the fear in the back of my head that things may some day break, and it'll be up to me to fix the whole thing. Speaking to some other people who aren't professional developers, it's generally nice to just get things going in a stable way, do security updates, but otherwise don't mess around too much once things are working well so you can focus on content, rather than backend.
I found this great link for centos