Raised This Month: $7 Target: $400
 1% 

Iptables For New Admins


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
Mavrick4283
Veteran Member
Join Date: Apr 2010
Location: 127.0.0.1@root
Old 08-24-2011 , 02:26   Iptables For New Admins
Reply With Quote #1

This is a rewrite of my other iptables tut. This one is meant to be easier for new admins to understand.

Notes: I am using Centos 5.6 in a VM for my examples thease commands should work on any Linux install that is using netfilter aka iptables.

FAQ:

Q: What is iptables?
A: Iptables is the interface used by administrators to interact with Netfilter modules. In another words it is the program you use to configure the built in firewall.

Q: I keep getting "iptables: command not found" or " access denied "
A: You are not root

Q: It does not work
A: Not rely a question, Yes this does work if you are having problems check your ip/ports and type iptables -L to see all your rules.

Q: XYZ plugin is not working after i configure iptables
A: The only plugins that can be effected by this are ones that use sockets or require external information like GameME or HLXstats. Make sure to add your log_serveraddress port to the allowed connections. Any any other ports required.(I will post more info as i get the needed info IE. what ports gameME uses)

Q: When i copied the commands they did not work
A: I am making this tut so you can set up your own rules i am not doing it for you. If you do not understand please ask do not say they do not work.

Q: How do i set this up on a shared host. IE rented servers
A: You can not, You have to have root access if you have a VPS or Dedicated server you should be good to go.

Note: If you are running a ubuntu server you can use UFW



Lets get started:

Before we go around changing things lets take a look at the default rules. You can see them by typing iptables -L



Now if you are new to networking this probable makes no sence. So lets break it down.

Code:
Chain INPUT (policy ACCEPT)
In the INPUT chain we have 1 rule.

Code:
RH-Firewall-l-INPUT all -- anywhere    anywhere
This is saying all INPUT go's to the RH-Firewall-l-INPUT chain

Same go's for the FORWARD and OUTPUT chains

The RH-Firewall-l-INPUT is the one with all the rules in it atm so lets break them down.

The first one is allowing all traffic no matter what it is.
The second one is allowing ICMP trafic (Ping,traceroute)
The third is allowing esp
Forth is allowing ah traffic
The fifth rule is allowing udp traffic from anwhere as long as it is going to 224.0.0.251 the last par of the rule have to do with packet flags for this we will not go to far in to thoes.

You see a pattern here yet?


Ok now that we know how the firewall is out of the box lets set up a real firewall.

First off we are going to need a list of ports we are going to use.

What you have to remember here. Is HLDS//SRCDS uses UDP for players and TCP for RCON.

Now that we have our list of ports we can make the rules/chains the firewall will use to allow or drop traffic.

To start out we are going to clear all our old rules and recreate the default chains.

Code:
iptables -F
iptables -X
iptables -P INPUT   ACCEPT
iptables -P OUTPUT  ACCEPT
iptables -P FORWARD ACCEPT
-F = Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.
-X = Deletes all chains
-P = Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets.

Now your iptables should look like this



Now we are going to allow all our need traffic.

Code:
# Accept anything from localhost
iptables -A INPUT -s 127.0.0.1/32 --jump ACCEPT 

#SSH 
iptables -A INPUT -p tcp --dport ssh --jump ACCEPT 

#your server info go's here
iptables -A INPUT -p udp -d server-IP --dport server-port 

#allow rcon to thoes servers
iptables -A INPUT -p tcp -d server-ip --dport server-port --jump ACCEPT
Now to break it down:

-A =Append one or more rules to the end of the selected chain. AkA adds the rule to the chain

-p = Protocol tcp, udp, icmp, or all

--dport = destination port

--jump = Tells the firewall what to do if the packet matches the rule

Now your table should look close to this




Ok now the problem is it is allowing all traffic still so we are going to drop all other traffic.

Note: You can lock your self out at this point, Make sure to have a way to get back in your system.
Attached is a script to restart your tables. I would set it to a cron job to be run every 15mins. Just remember to remove it once you have your firewall in place...


To drop the traffic we are going to change the chain's policy.

Code:
iptables -P INPUT DROP
iptables -P FORWARD DROP
For this example we are allowing all output traffic. Tho it is a good idea to have rules in place to only allow the traffic you want.

Now your rules should look like this.


Now that is it for a very basic firewall, So lets see what go's into a more advance one.
(For this i am going to be using Debian, Because i have a test server set up with some rules in place)



As you can see there is alot more rules here so lets break some of them down and explain what they do.

Code:
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request limit: avg 5/sec burst 5 state NEW
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable state NEW
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded state NEW
ACCEPT     icmp --  anywhere             anywhere            icmp timestamp-request state NEW
ACCEPT     icmp --  anywhere             anywhere            icmp timestamp-reply state RELATED,ESTABLISHED
Ok what it is doing here is allowing some basic ICPM request like ping and some others that will allow you to see if you server is even up.

now on to some ones that will help slow down a WEAK ddos or dos attack.

Code:
DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP       all  -f  anywhere             anywhere
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN
DROP       tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST
What this is doing is droping all fragmented packets and any tcp connection that does not use the correct handshake.


Now for some anti-spoof rules

Code:
DROP       all  --  200.200.200.200      anywhere
DROP       all  --  192.168.0.0/24       anywhere
DROP       all  --  loopback/8           anywhere
This is only scratching the surface of what iptables can do. I will be editing this as i have time to add more info.

BTW feel free to share your iptables configs.

Attached is a sample firewall confg

Credits:
http://linux.die.net/man/8/iptables - For a detailed explain of the commands

https://forums.alliedmods.net/member.php?u=51244 - For his fail2ban rules

http://en.wikipedia.org/wiki/Iptables - for the explanation of iptables
Attached Files
File Type: zip firewall.zip (1.2 KB, 1061 views)
__________________

Last edited by Mavrick4283; 11-10-2011 at 04:05. Reason: Fixed Images
Mavrick4283 is offline
NAQQASH
Senior Member
Join Date: Dec 2010
Old 08-24-2011 , 04:03   Re: Iptables For New Admins
Reply With Quote #2

Quote:
iptables -A INPUT -p tcp --dport ssh --jump ACCEPT
??
__________________
Bye bye AlliedModders.
NAQQASH is offline
Mavrick4283
Veteran Member
Join Date: Apr 2010
Location: 127.0.0.1@root
Old 08-24-2011 , 04:10   Re: Iptables For New Admins
Reply With Quote #3

When you use ssh like that the system know to auto look for the sshd in netstat and open that port.

if you type netstat -a | more you can see all open ports any ones with a name you can do that with for example

SSH
Mail
HTTP

Those are just some that can work.
__________________
Mavrick4283 is offline
sake
Senior Member
Join Date: Jul 2011
Old 08-24-2011 , 05:41   Re: Iptables For New Admins
Reply With Quote #4

Just a dumb question. Isn't ipTables opening a port as long as a daemon is running on the port? If not sry. I think I read sth about that on the internet.

EDIT:

And one tip (because I just killed everything at my server):

Save your standard configuration! (maybe there is some stuff that was preconfigured) by using:

iptables-save > nameofthefile

If you lock yourself out by messing something up with the iptables you now can do a rescue System login. Then mount your harddisk, go to /etc/init.d . For simplicity you can cp the backup file into this directory. and then create a small script:

PHP Code:
#!/bin/bash
iptables-restore path/to/the/file/nameofthefile 
chmod +x nameofyourscript

Restart the server. Then everything is back to normal. Now go back to /etc/init.d and remove the executable flag (File will not be executed at system start anymore) with chmod -x nameofyourscript. If you stored the backup file in /etc/init.d move it to a save place (don't leave it in init.d, that's bad style) and do the same to the script.

How it works:
The directory /etc/init.d is the place were all the programs (or just daemons? sorry idk) put their starting scripts. Everything that's executable and placed in this directory will be started at system startup. So we place our stuff there, restart the server and we are back to normal. .

EDIT2:

And you should do the same as described in the first post for ip6tables.

EDIT3:

ufw is available for Debian, too.

sake
__________________

Last edited by sake; 08-24-2011 at 09:49.
sake is offline
Mavrick4283
Veteran Member
Join Date: Apr 2010
Location: 127.0.0.1@root
Old 08-24-2011 , 15:27   Re: Iptables For New Admins
Reply With Quote #5

@sake You should have read the whole post i was not done writing it.....i just had to save it before my laptop died.

Quote:
Just a dumb question. Isn't ipTables opening a port as long as a daemon is running on the port? If not sry. I think I read sth about that on the internet.
No iptables does not open ports with out you telling it.

Quote:
And you should do the same as described in the first post for ip6tables.
Well unless you know for a fact you need ipv6 you should just be droping all V6 traffic.

Quote:
EDIT3:

ufw is available for Debian, too.
Well ya....Ubuntu is based off Debian but it is just not installed by default.



EDIT:
I am still not done with this so do not post that it does not work or something it incorrect... Thanks
__________________

Last edited by Mavrick4283; 08-24-2011 at 16:30. Reason: answering your question
Mavrick4283 is offline
Mavrick4283
Veteran Member
Join Date: Apr 2010
Location: 127.0.0.1@root
Old 08-25-2011 , 03:39   Re: Iptables For New Admins
Reply With Quote #6

Quote:
Originally Posted by taylor lee View Post
If you can get onto command console (start menu, cmd, enter), type net user. If there is one that says "administrator", then type net user "administrator" /active:yes. This should work.If that doesn't work, type control userpasswords2. Highlight administrator and uncheck the box on the top. Restart your computer and it should log in as administrator.
This is for linux.....so ya no administrator user...just root


EDIT:

Plus we are not even talking how to get admin on windows...so why.....not trying to be a dick or troll you but you need to read the thread before posting a reply if you do not have something that is on topic keep it to your self thanks.
__________________

Last edited by Mavrick4283; 08-25-2011 at 03:44.
Mavrick4283 is offline
NAQQASH
Senior Member
Join Date: Dec 2010
Old 08-25-2011 , 05:38   Re: Iptables For New Admins
Reply With Quote #7

This is more readable. Keep up the good work.
Offtopic: Also, you use GUI for HLDS?
__________________
Bye bye AlliedModders.
NAQQASH is offline
Mavrick4283
Veteran Member
Join Date: Apr 2010
Location: 127.0.0.1@root
Old 08-25-2011 , 05:56   Re: Iptables For New Admins
Reply With Quote #8

Lol no that was just one of my VM's

Edit:

I do not run any HLDS my self i just run TF2 and Gmod servers ATM as far as games go ATM. For the tut i was using a cent os 5.6 Server with KDE installed on it. And a Debian 5 with SSHD running . I was just being lazy again.
__________________

Last edited by Mavrick4283; 08-25-2011 at 06:00.
Mavrick4283 is offline
NAQQASH
Senior Member
Join Date: Dec 2010
Old 08-25-2011 , 06:23   Re: Iptables For New Admins
Reply With Quote #9

Oh. I wanted to say gameservers.
Great work BTW. Screenshots will encourage people to try it out and say "hey look it's exactly the same in my case as well".
__________________
Bye bye AlliedModders.
NAQQASH is offline
Mavrick4283
Veteran Member
Join Date: Apr 2010
Location: 127.0.0.1@root
Old 08-25-2011 , 06:40   Re: Iptables For New Admins
Reply With Quote #10

Quote:
Originally Posted by NAQQASH View Post
Oh. I wanted to say gameservers.
Great work BTW. Screenshots will encourage people to try it out and say "hey look it's exactly the same in my case as well".

O lol ya no i do not have a GUI on my servers, IMO just a security risk.

Ty i think i will do one on how to correctly set up sftp and secure your box . Got to keep the 1337 HAX0RZ out...
__________________
Mavrick4283 is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 02:23.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode