Re: Iptables example for mail/web/opevpn server
On Wed, 2012-02-15 at 19:25 +0100, Arturo Borrero Gonzalez wrote:
> 2012/2/15 Raven <raven@vp44.net>:
> > Hi guys.
> > I need some help in designing a simple iptables ruleset for a small
> > server I have recently set up.
> >
> > It's a VPS so the primary interface is venet0 with a public ip. The
> > server also runs an openvpn daemon with a 172.16.0.0/24 subnet.
> >
> > There is obviously no need for NAT or packet forwarding. All outbound
> > traffic should be allowed while inbound data is to be accepted only on
> > ports 80, 443, 25, 587 and 1194 (tcp,udp).
> >
> > Could you give me a rough idea of what a firewall script should look
> > like?
> >
> > Thanks
> >
> > -RV
> >
> I think if you give me more details about the environment of the
> server, I could help you being more explicit.
>
> For example:
>
> · Ipv6 use, or support?
> · Complex firewall as a service management?
> · How many clients are going to use the server?
> · What about the scalability factor? Do you plan to expand the server
> in a future?
> · Is the server in your house or it's a testing server, so
> availability and security could be forgiven in favor of a quick
> setting?
>
1) IPv6 will be implemented in the next future. For now I'm focusing on
v4.
2) Didn't really understand that question :)
3) A fair number. Busy MTA and and 70-80 clients on httpd.
4) I do, but in that case I will add a rule manually for whatever
protocol I need to.
5) As of now the server is just a secondary MX and a failover httpd
server. If all works out I plan to use it as primary.
I probably should have mentioned this earlier, but my predecessor left
me with a firewall script that, when launched, locks me out of the
server.
It seems all kosher to me, so I wonder why it's behaving like that:
#!/bin/sh
IPT="/sbin/iptables"
# Internet Interface
INET_IFACE="venet0"
INET_ADDRESS="xxx.xxx.xxx.xxx"
# OpenVPN
OV="172.16.0.0/16"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
#Set Policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# unlimited access to VPN
iptables -A INPUT -s $OV -j ACCEPT
iptables -A OUTPUT -s $OV -j ACCEPT
# Munin accounting stuff
/sbin/iptables -A INPUT -d $INET_ADDRESS
/sbin/iptables -A OUTPUT -s $INET_ADDRESS
/sbin/iptables -A INPUT -d 172.16.0.1
/sbin/iptables -A OUTPUT -s 172.16.0.1
#Filter INVALID packets
$IPT -N bad_packets
#Filter bad tcp packets
$IPT -N bad_tcp_packets
#Chains for icmp, tcp (incoming and outgoing)
$IPT -N icmp_packets
$IPT -N udp_inbound
#Inbound services
$IPT -N tcp_inbound
#Outbound services
$IPT -N tcp_outbound
# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets
# All good, so return
$IPT -A bad_packets -p ALL -j RETURN
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG
\ -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN
# icmp_packets chain
$IPT -A icmp_packets --fragment -p ICMP -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
#Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# udp_inbound chain
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
#NTP Server
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 123 -j ACCEPT
# udp_outbound chain
#
#ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
# tcp_inbound chain
# HTTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
# FTP Server (Control)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT
# FTP Client (Data Port for non-PASV transfers)
$IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
# Passive FTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 62000:63000
\ -j ACCEPT
# Email Server (SMTP)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT
# Email Server (SMTP SUBMISSION)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 587 -j ACCEPT
# Email Server (POP3)
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT
# Email Server (IMAP4)
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT
# SSL Email Server (POP3s)
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 995 -j ACCEPT
# SSL Email Server (IMAP4s)
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 993 -j ACCEPT
# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
# Munin
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 4949 -j ACCEPT
# Rsync
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 873 -j ACCEPT
# openvpn
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 1194 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 1194 -j ACCEPT
# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
echo "Process INPUT chain ..."
# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets
# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED
\ -j ACCEPT
# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
echo "Process OUTPUT chain ..."
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
-RV
Reply to: