firewall setup

Apologies in advance as I'm a bit of a noob. Anyway, just working my way through the tutorial and got stuck on the "Securing Your Server".

I am trying to install CentOS and understand that the tutorials were written primarily for Debian/Ubuntu. I've tried my best to find the equivalent instructions on the interwebs for this step but have not been successful. Anyway, the problem I'm having is in Step 12 of "Securing Your Server". When I try to create a script so that firewall rules start up automatically each time using this command:

sudo nano /etc/network/if-pre-up.d/firewall

nano does fire up, but then I can't save the file. There also doesn't appear to be that path under /etc. I read elsewhere that doing this isn't necessary under CentOS, but when I restart the node, alas, my firewall rules disappear, so evidently I do need this or something like it.

Should I just create the path and save the file? If anyone has any suggestions I'd very much appreciate it.

7 Replies

You are way way way off base.

You don't need a script - it's all handled by CentOS and IPTABLES.

http://www.cyberciti.biz/faq/rhel-fedor … -tutorial/">http://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial/

Yes, unfortunately it seems I am quite a way off base. I frankly didn't know better and I'm following a tutorial that doesn't seem to work for CentOS. It's quite unfortunate because the first part of the tutorial did deal with differences between Ubuntu and CentOS and that sort of quietly fell away.

I do appreciate the link which looks like exactly what I need - thanks very much! That being said, I'm beginning to wonder if it's worth while to go down this road (as compared to easy peasy shared hosting…).

What are you trying to accomplish with your VPS?

If you're a sysadmin or developer (or a wanna be sysadmin or developer) then a VPS offers many options.

If you just need a place to plop your website, and don't need the low level control of doing it "all" yourself, then shared hosting is a good option.

Time is always short, so focus on what's important.

Hey thanks vonskippy. It's primarily for my crappy little blog. I currently use shared hosting but haven't been happy with performance, so I'm looking into some alternatives. That being said, I am to some extent a wannabe - oddly enough despite the headaches I like looking under the hood a bit. Just not sure if it might just be too much. Will give it some further thought.

On another note (and this isn't necessarily directed only to you vonskippy) I tried to implement the link that was referenced above. I didn't have a default iptables - looked like it was blank, so I just created one based on the info on that page, with the changes it suggested (excluding a few toward the end - specifically: (1) only allow SSH traffic from 192.168.1.0/24; (2)Enable Printing Access For 192.168.1.0/24; and (3) Allow Legitimate NTP Clients to Access the Server. So the file ends up looking like this:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
-A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST "
-A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK "
-A INPUT -i eth0 -s 169.254.0.0/16  -j LOG --log-prefix "IP DROP MULTICAST "
-A INPUT -i eth0 -s 0.0.0.0/8  -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s  240.0.0.0/4  -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s  255.255.255.255/32  -j LOG --log-prefix "IP DROP  "
-A INPUT -i eth0 -s 168.254.0.0/16  -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s 248.0.0.0/5  -j LOG --log-prefix "IP DROP "
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
COMMIT

But when I try restarting the firewall with this:

sudo service iptables restart

I get this:

iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: security raw nat[FAILED]filter
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules: iptables-restore: line 35 failed
                                                           [FAILED]

The OKs are in green and the FAILEDs are in red.

And perhaps stating the obvious, but then when I run

sudo iptables -vnL --line-numbers

I get a blank set of rules - namely this:

Chain INPUT (policy ACCEPT 164 packets, 12424 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 178 packets, 41344 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Ugh. Any suggestions or advice would be most appreciated.

@dma0:

Hey thanks vonskippy. It's primarily for my crappy little blog. I currently use shared hosting but haven't been happy with performance, so I'm looking into some alternatives. That being said, I am to some extent a wannabe - oddly enough despite the headaches I like looking under the hood a bit. Just not sure if it might just be too much. Will give it some further thought. I can sympathize with the decision to go from shared to VPS, dma0. I mostly had some static content/PHP form sites, and was starting to dabble more with MediaWiki. Ultimately, the ability to have a finer control over lower level configuration options for the performance of the wiki appealed to me, as well as the greater performance. But I have to say that it's definitely been more work to learn & administrate my own server, and there's always the fear in the back of my head that things may some day break, and it'll be up to me to fix the whole thing. Speaking to some other people who aren't professional developers, it's generally nice to just get things going in a stable way, do security updates, but otherwise don't mess around too much once things are working well so you can focus on content, rather than backend.

Thanks for the guidance yaz. I have yet to achieve a stable install but will take your advice to heart when (and if) I do.

I know this is an old posting.

I found this great link for centos https://www.digitalocean.com/community/ … n-centos-6">https://www.digitalocean.com/community/articles/how-to-setup-a-basic-iptables-configuration-on-centos-6

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct