Re: Iptables example for mail/web/opevpn server

To: debian-firewall@lists.debian.org
Subject: Re: Iptables example for mail/web/opevpn server
From: Raven <raven@vp44.net>
Date: Thu, 16 Feb 2012 12:36:48 +0100
Message-id: <[🔎] 1329392208.7003.24.camel@osmosis.gnet.eu>
Reply-to: raven@vp44.net
In-reply-to: <[🔎] CAPfcJasFyE-rsfOgbfYCtSfC-K=WszVorSp-a1A_16cgNdUmSw@mail.gmail.com>
References: <[🔎] 1329318511.7003.7.camel@osmosis.gnet.eu> <[🔎] CAPfcJasFyE-rsfOgbfYCtSfC-K=WszVorSp-a1A_16cgNdUmSw@mail.gmail.com>

On Wed, 2012-02-15 at 19:25 +0100, Arturo Borrero Gonzalez wrote:
> 2012/2/15 Raven <raven@vp44.net>:
> > Hi guys.
> > I need some help in designing a simple iptables ruleset for a small
> > server I have recently set up.
> >
> > It's a VPS so the primary interface is venet0 with a public ip. The
> > server also runs an openvpn daemon with a 172.16.0.0/24 subnet.
> >
> > There is obviously no need for NAT or packet forwarding. All outbound
> > traffic should be allowed while inbound data is to be accepted only on
> > ports 80, 443, 25, 587 and 1194 (tcp,udp).
> >
> > Could you give me a rough idea of what a firewall script should look
> > like?
> >
> > Thanks
> >
> > -RV
> >
> I think if you give me more details about the environment of the
> server, I could help you being more explicit.
> 
> For example:
> 
> · Ipv6 use, or support?
> · Complex firewall as a service management?
> · How many clients are going to use the server?
> · What about the scalability factor? Do you plan to expand the server
> in a future?
> · Is the server in your house or it's a testing server, so
> availability and security could be forgiven in favor of a quick
> setting?
> 

1) IPv6 will be implemented in the next future. For now I'm focusing on
v4.
2) Didn't really understand that question :)
3) A fair number. Busy MTA and and 70-80 clients on httpd.
4) I do, but in that case I will add a rule manually for whatever
protocol I need to.
5) As of now the server is just a secondary MX and a failover httpd
server. If all works out I plan to use it as primary.

I probably should have mentioned this earlier, but my predecessor left
me with a firewall script that, when launched, locks me out of the
server.
It seems all kosher to me, so I wonder why it's behaving like that:


#!/bin/sh
IPT="/sbin/iptables"
# Internet Interface
INET_IFACE="venet0"
INET_ADDRESS="xxx.xxx.xxx.xxx"
# OpenVPN
OV="172.16.0.0/16"

# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"

echo "Flushing Tables ..."

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

#Set Policies

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# unlimited access to VPN
iptables -A INPUT -s $OV -j ACCEPT
iptables -A OUTPUT -s $OV -j ACCEPT

# Munin accounting stuff
/sbin/iptables -A INPUT -d $INET_ADDRESS
/sbin/iptables -A OUTPUT -s $INET_ADDRESS
/sbin/iptables -A INPUT -d 172.16.0.1
/sbin/iptables -A OUTPUT -s 172.16.0.1


#Filter INVALID packets
$IPT -N bad_packets

#Filter bad tcp packets
$IPT -N bad_tcp_packets

#Chains for icmp, tcp (incoming and outgoing)
$IPT -N icmp_packets
$IPT -N udp_inbound

#Inbound services
$IPT -N tcp_inbound

#Outbound services
$IPT -N tcp_outbound


# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP

# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets

# All good, so return
$IPT -A bad_packets -p ALL -j RETURN

$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG
\ -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

#All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN


# icmp_packets chain
$IPT -A icmp_packets --fragment -p ICMP -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

#Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT



# udp_inbound chain
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP

#NTP Server
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 123 -j ACCEPT


# udp_outbound chain
#
#ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

# tcp_inbound chain

# HTTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT

# FTP Server (Control)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT

# FTP Client (Data Port for non-PASV transfers)
$IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT

# Passive FTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 62000:63000
\ -j ACCEPT

# Email Server (SMTP)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT

# Email Server (SMTP SUBMISSION)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 587 -j ACCEPT

# Email Server (POP3)
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT

# Email Server (IMAP4)
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT

# SSL Email Server (POP3s)
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 995 -j ACCEPT

# SSL Email Server (IMAP4s)
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 993 -j ACCEPT

# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT

# Munin
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 4949 -j ACCEPT

# Rsync
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 873 -j ACCEPT

# openvpn
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 1194 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 1194 -j ACCEPT

# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT


echo "Process INPUT chain ..."

# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets

# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED
\ -j ACCEPT

# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets


echo "Process OUTPUT chain ..."
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP

# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT


-RV

Reply to:

Follow-Ups:
- Re: Iptables example for mail/web/opevpn server
  - From: Jonathan Plews <jon@ts-tech.co.uk>
- Re: Iptables example for mail/web/opevpn server
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

References:
- Iptables example for mail/web/opevpn server
  - From: Raven <raven@vp44.net>
- Re: Iptables example for mail/web/opevpn server
  - From: Arturo Borrero Gonzalez <cer.inet@linuxmail.org>

Prev by Date: Re: Iptables example for mail/web/opevpn server
Next by Date: Re: Iptables example for mail/web/opevpn server
Previous by thread: Re: Iptables example for mail/web/opevpn server
Next by thread: Re: Iptables example for mail/web/opevpn server
Index(es):
- Date
- Thread