Tuesday, 30 July 2013

Centos 6/RHEL set new Firewall IPTables rules

The firewall rules in Centos, commonly known as IPTables, are based on the use of IP addresses, protocols and ports and gives you the abilty to manage all connection activity in and out of your server. Rules are based on chains (INPUT, OUTPUT and FORWARD) and you maintain the abilty to ACCEPT, DROP, or REJECT activity based on your criteria. IPTables are the bedrock of the servers security so here we will look at replacing the pre-installed rule set to build your own.

First log in as root and remove all the current rules

# iptables --flush

Now as a temporary measure to ensure that we will have no issues when trying to connect to the server, we then determine that the server can accept all incoming connections

# iptables -P INPUT ACCEPT&&iptables -P FORWARD ACCEPT&&iptables -P OUTPUT ACCEPT

Now save the rules and restart the service

# service iptables save

# service iptables restart

Now we add a simple rule that enables unlimited traffic on the loopback (127.0.0.1) to provide access from the localhost

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Next we can add an optional rule that allows a static IP address if using one

iptables -A INPUT -i lo -s 192.168.0.100 -d 192.168.0.100 -j ACCEPT

Now we enable both ICMP and STATE. ICMP is associated with diagnostics such as ping trace or route and network control and discovery, while STATE enables IPTables to remember the status of any connection in conjunction with the protocols using the source and destination IP address.

iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
iptables -A INPUT -m state --state --state ESTABLISHED, RELATED -j ACCEPT

Having done this, the next task was to open both domain and SSH ports to facilitate DNS queries
and SSH, if youare using a different port for SSH remember to change this here.

iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Finally, lock down and deny unwanted any access to the server by rewriting the current chain policy.

iptables -P INPUT DROP && iptables -P FORWARD DROP && iptables -P OUTPUT ACCEPT

Save the new configuration from memory to file and restart the service

# service iptables save

# service iptables restart

Additional Ports

You can open additional ports in order to support features such as HTTPD,FTP, NTP, Mail etc by extending the current rule set providing each feature with a relevant input and output rule.

To allow HTTP on ports 80 and 143 you would use

iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -j ACCEPT

To allow FTP on ports 20/21 you would use

iptables -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT

To allow SMTP and POP3 on ports 25 and 110 you would use

iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT

Finally, to allow NTP on port 123 you would use

iptables -A OUTPUT -p udp --dport 123 -j ACCEPT   

Remember to save the rules

# service iptables save

Allowing an IP Address

If you have a list of IP addresses that represent a series of welcome guests, the root user can add them to the existing firewall rules and whitelist them by typing

iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT

You can add as many addresses as you like but place the entries above any other rule

:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -s 192.168.0.100 -j ACCEPT
-A INPUT -s 192.168.0.101 -j ACCEPT

Save and restart iptables

# service iptables save

# service iptables restart

Banning IP addresses

If you have a list of IP addresses that represent a series of unwanted guests, the root user can add them to existing firewall rules and effectively ban or blacklist them by typing

iptables -A INPUT -s 192.168.0.100 -j DROP

Again as above there is no limit to the number but they must appear above any other rule

:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -s XXX.XXX.XXX.XXX -j DROP
-A INPUT -s XXX.XXX.XXX.XXX -j DROP
-A INPUT -s XXX.XXX.XXX.XXX -j DROP

Save and restart iptables

# service iptables save

# service iptables restart

So using this method you can deny unwanted visitors access to your server through the firewall and limit the size of your logfiles