[Tut] Linux Iptables
Ok so i am writing this because i am tired of having to look at 40 different post to get the info i want. Also to clear up what the commands are and what they do.
Notes: I am using Debian 5 X64 for my examples thease commands should work on any Linux install that is using netfilter aka iptables. FAQ: Q: What is iptables? A: Iptables is the interface used by administrators to interact with Netfilter modules. In another words it is the program you use to configure the built in firewall. Q: I keep getting "iptables: command not found" or " access denied " A: You are not root Q: It does not work A: Not rely a question, Yes this does work if you are having problems check your ip/ports and type iptables -L to see all your rules. Q: XYZ plugin is not working after i configure iptables A: The only plugins that can be effected by this are ones that use sockets or require external information like GameME or HLXstats. Make sure to add your log_serveraddress port to the allowed connections. Any any other ports required.(I will post more info as i get the needed info IE. what ports gameME uses) Q: When i copied the commands they did not work A: I am making this tut so you can set up your own rules i am not doing it for you. If you do not understand please ask do not say they do not work. Q: How do i set this up on a shared host. IE rented servers A: You can not, You have to have root access if you have a VPS or Dedicated server you should be good to go. Note: If you are running a ubuntu server you can use UFW Lets get started: First off lets get a list of ports that we need to allow traffic and what protocol they use. FTP 21 ( Rely FTP guys....) SSH 22 MySql 3306 Steam Friends Service UDP 1200 1200 Steam Main UDP UDP 27000 Steam Main TCP TCP 27020 27039 Steam CyberCafe TCP 27040 27041 Steam Dedicated Server HLDS, SRCDS UDP 27015 27015 Steam Dedicated Server HLTV UDP 27020 27020 Steam SRCDS Rcon TCP 27015 27015 Now that we have our list of ports we can make the rules/chains the firewall will use to allow or drop traffic. To start out we are going to clear all our old rules and recreate the default chains. Code:
iptables -F-P = Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets. Now we are going to allow all our need traffic. Code:
# Accept anything from localhost-A =Append one or more rules to the end of the selected chain. AkA adds the rule to the chain -p = Protocol tcp, udp, icmp, or all --dport = destination port :) --jump = Tells the firewall what to do if the packet matches the rule Now that is all great for a basic firewall but that does not help much with the DoS attack the still effects srcds... To stop that we can use iptables in combo with another program called fail2ban. Fail2ban pronounced Fail 2 Ban reads logs and takes actions based on what it finds. First we have to install Code:
apt-get install fail2banCreate a file called srcdsdos.conf Code:
nano /etc/fail2ban/filter.d/srcdsdos.confCode:
[Definition]Code:
[srcdsdos]Code:
/etc/init.d/fail2ban restartCode:
# Creation channel rejection flood udp 28These are just some of the things you can do with iptables for more info read the man pages here:http://linux.die.net/man/8/iptables Credits: http://linux.die.net/man/8/iptables - For a detailed explain of the commands https://forums.alliedmods.net/member.php?u=51244 - For his fail2ban rules http://en.wikipedia.org/wiki/Iptables - for the explanation of iptables |
Re: [Tut] Linux Iptables
Please rate and if you want to see a tut on any thing els Linux or windows please ask :)
|
Re: [Tut] Linux Iptables
Move to Snippets and Tutorials please
|
Re: [Tut] Linux Iptables
it is also worth pointing out that you can secure your box easier by changing from the default ports, i used to get loads of attempts to login on ssh over port 22, i changed port to a more obscure one and now don't get any at all.
|
Re: [Tut] Linux Iptables
Yes you can do that i was just showing how the firewall works even if you change the SSH port i would still be running a firewall to help prevent attacks. Also just changing the port SSH is running on does not make your box "Secure" just means that most automated scripts will not see it, The firewall can allow you to block port scans as well as limit the number of times some one can connect to your SSH or other services like FTP. But any ways you are correct in that changing the port of SSH it easier the setting up the firewall.
|
Re: [Tut] Linux Iptables
Denyhosts is worth a mention as well.
Also, ufw may be simpler for a newcomer to the server admin world to understand; it's a syntax sweetener for iptables, and much more straightforward to work with. I know there's quite a few tuts on Ubuntu's forums about it, so no need to go over it, just link to them. |
Re: [Tut] Linux Iptables
what i meant by changing the ports, obv you should still use a firewall, but it makes it more easy to secure.
|
Re: [Tut] Linux Iptables
Quote:
https://wiki.ubuntu.com/UncomplicatedFirewall Also on that page is links to the manuals if you are using those versions of Ubuntu. As for Denyhosts that is great for stopping people who keep attacking you but i rather just use iptables to only allow my IP to access SSH. I also have a port knocking set up just in case my ip changes. :bacon!: I will add links to UFW to the tut for Ubuntu users tho thanks for the info. Quote:
I would not allow external connections tell that is at least done there is more you can do with chroot and PAM. But that will keep most script kiddies out. + :bacon!: ? |
Re: [Tut] Linux Iptables
+ denyhosts has to allow the connection into the box first to see if its on the list of hosts to deny.
apf can drop it before that, iirc |
Re: [Tut] Linux Iptables
Quote:
BTW at the risk of sounding like a noob what does iirc mean :oops: |
| All times are GMT -4. The time now is 23:38. |
Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.