This is a rewrite of my other iptables tut. This one is meant to be easier for new admins to understand.
Notes: I am using Centos 5.6 in a VM for my examples thease commands should work on any Linux install that is using netfilter aka iptables.
FAQ:
Q: What is iptables?
A: Iptables is the interface used by administrators to interact with Netfilter modules. In another words it is the program you use to configure the built in firewall.
Q: I keep getting "iptables: command not found" or " access denied "
A: You are not root
Q: It does not work
A: Not rely a question, Yes this does work if you are having problems check your ip/ports and type iptables -L to see all your rules.
Q: XYZ plugin is not working after i configure iptables
A: The only plugins that can be effected by this are ones that use sockets or require external information like GameME or HLXstats. Make sure to add your log_serveraddress port to the allowed connections. Any any other ports required.(I will post more info as i get the needed info IE. what ports gameME uses)
Q: When i copied the commands they did not work
A: I am making this tut so you can set up your own rules i am not doing it for you. If you do not understand please ask do not say they do not work.
Q: How do i set this up on a shared host. IE rented servers
A: You can not, You have to have root access if you have a VPS or Dedicated server you should be good to go.
Note: If you are running a ubuntu server you can use
UFW
Lets get started:
Before we go around changing things lets take a look at the default rules. You can see them by typing iptables -L
Now if you are new to networking this probable makes no sence. So lets break it down.
Code:
Chain INPUT (policy ACCEPT)
In the INPUT chain we have 1 rule.
Code:
RH-Firewall-l-INPUT all -- anywhere anywhere
This is saying all INPUT go's to the
RH-Firewall-l-INPUT chain
Same go's for the FORWARD and OUTPUT chains
The RH-Firewall-l-INPUT is the one with all the rules in it atm so lets break them down.
The first one is allowing all traffic no matter what it is.
The second one is allowing ICMP trafic (Ping,traceroute)
The third is allowing esp
Forth is allowing ah traffic
The fifth rule is allowing udp traffic from anwhere as long as it is going to 224.0.0.251 the last par of the rule have to do with packet flags for this we will not go to far in to thoes.
You see a pattern here yet?
Ok now that we know how the firewall is out of the box lets set up a real firewall.
First off we are going to need a list of ports we are going to use.
What you have to remember here. Is HLDS//SRCDS uses UDP for players and TCP for RCON.
Now that we have our list of ports we can make the rules/chains the firewall will use to allow or drop traffic.
To start out we are going to clear all our old rules and recreate the default chains.
Code:
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
-F = Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.
-X = Deletes all chains
-P = Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets.
Now your iptables should look like this
Now we are going to allow all our need traffic.
Code:
# Accept anything from localhost
iptables -A INPUT -s 127.0.0.1/32 --jump ACCEPT
#SSH
iptables -A INPUT -p tcp --dport ssh --jump ACCEPT
#your server info go's here
iptables -A INPUT -p udp -d server-IP --dport server-port
#allow rcon to thoes servers
iptables -A INPUT -p tcp -d server-ip --dport server-port --jump ACCEPT
Now to break it down:
-A =Append one or more rules to the end of the selected chain. AkA adds the rule to the chain
-p = Protocol tcp, udp, icmp, or all
--dport = destination port
--jump = Tells the firewall what to do if the packet matches the rule
Now your table should look close to this
Ok now the problem is it is allowing all traffic still so we are going to drop all other traffic.
Note: You can lock your self out at this point, Make sure to have a way to get back in your system.
Attached is a script to restart your tables. I would set it to a cron job to be run every 15mins. Just remember to remove it once you have your firewall in place...
To drop the traffic we are going to change the chain's policy.
Code:
iptables -P INPUT DROP
iptables -P FORWARD DROP
For this example we are allowing all output traffic. Tho it is a good idea to have rules in place to only allow the traffic you want.
Now your rules should look like this.
Now that is it for a very basic firewall, So lets see what go's into a more advance one.
(For this i am going to be using Debian, Because i have a test server set up with some rules in place)
As you can see there is alot more rules here so lets break some of them down and explain what they do.
Code:
ACCEPT icmp -- anywhere anywhere icmp echo-reply state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 5/sec burst 5 state NEW
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable state NEW
ACCEPT icmp -- anywhere anywhere icmp time-exceeded state NEW
ACCEPT icmp -- anywhere anywhere icmp timestamp-request state NEW
ACCEPT icmp -- anywhere anywhere icmp timestamp-reply state RELATED,ESTABLISHED
Ok what it is doing here is allowing some basic ICPM request like ping and some others that will allow you to see if you server is even up.
now on to some ones that will help slow down a
WEAK ddos or dos attack.
Code:
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP all -f anywhere anywhere
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
What this is doing is droping all fragmented packets and any tcp connection that does not use the correct handshake.
Now for some anti-spoof rules
Code:
DROP all -- 200.200.200.200 anywhere
DROP all -- 192.168.0.0/24 anywhere
DROP all -- loopback/8 anywhere
This is only scratching the surface of what iptables can do. I will be editing this as i have time to add more info.
BTW feel free to share your iptables configs.
Attached is a sample firewall confg
Credits:
http://linux.die.net/man/8/iptables - For a detailed explain of the commands
https://forums.alliedmods.net/member.php?u=51244 - For his fail2ban rules
http://en.wikipedia.org/wiki/Iptables - for the explanation of iptables