MINIMAL IPTABLES EXAMPLE – MAKING SURE WE DONT LOSE ACCESS TO VPS VIA SSH
###############################################
NOTE: this is really minimal, for more intense check out my iptables for webserver like wordpress article
Sources:
VPS a virtual private server comes preconfigured with a linux box usually its all access so its important to secure it up, but at same time not lose your access – this is the minimal settings you should have.
INTRO
=====
Step 0: make sure your root because I dont like using sudo command, if you do then sudo before every command, or just “sudo -i” to get into root, another way is “su -” or just “su”
First: ifconfig to see your ip and all of your interfaces and note their names, to check tables “iptables -L”, to see with counters “iptables -vL”
For example my internet interface is usually eth0, but in this case its venet0 – luckily in this simple config we will not use any interface names and just apply the rules to every interface however the loopback is the exception in this config (we allow everything to it)
First a system usually starts off with all access in out and about (through actually which we call forward) so we want to keep that as we are SSHed in to the system, if I block ssh or anything about it, then bam we lose access and then you have to get your VPS backup with “magic”. So the trick is to enable ssh inbound while your connected, then you can start turning off the defaults (we actually dont turn off the default, we just circumvent it with a “catch-all” rule right before it, so the default rule never gets acted upon – what am I talking bout? well the default rule on a system is usually all in, but if I put a rule above that says noone is allowed in, then all in doesnt happen)
THE CONFIG – no loss to ssh
############################
iptables -A INPUT -p tcp –dport ssh -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
iptables -I INPUT 1 -i lo -j ACCEPT # this rule inserts at the top (simpler script below just does everything in order, so this one will be first – im just trying to show off iptables ‘insert rule at the top or any position’ of the list ability)
Note that the ACCEPTS are still on they are just @ the very bottom of the list (since they are the default)
SIMPLER
#######
Most simplest rules (Without showing off edit line)
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp –dport ssh -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
SAVE RULES TO FILE
##################
JUST TO DUMP TO SCREEN:
iptables-save
EXAMPLE:
iptables-save
OUTPUT:
# Generated by iptables-save v1.4.14 on Wed Aug 28 11:53:54 2013
*nat
:PREROUTING ACCEPT [86:5510]
:POSTROUTING ACCEPT [255:16686]
:OUTPUT ACCEPT [255:16686]
COMMIT
# Completed on Wed Aug 28 11:53:54 2013
# Generated by iptables-save v1.4.14 on Wed Aug 28 11:53:54 2013
*mangle
:PREROUTING ACCEPT [328444:467708319]
:INPUT ACCEPT [328444:467708319]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [184620:29070873]
:POSTROUTING ACCEPT [184620:29070873]
COMMIT
# Completed on Wed Aug 28 11:53:54 2013
# Generated by iptables-save v1.4.14 on Wed Aug 28 11:53:54 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1129:168931]
-A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Wed Aug 28 11:53:54 2013
iptables-save > /etc/iptables.rules
TO RESTORE RULES:
=================
iptables-restore < /etc/iptables.rules
Essentially we just want to run that at boot up.
COUNTERS OPTION:
===============
If use -c option, then all of the counters get saves. Remember can see counters with “iptables -vL”
iptables-save -c > /etc/iptables.rules
iptables-restore -c < /etc/iptables.rules
TO SEE HOW IT LOOKS LIKE (note this doesnt affect any file its all just output to screen – no saves to any file – as stated before iptables-save just dumps to stdout when used without redirects like the > character)
iptables-save -c
OUTPUT:
# Generated by iptables-save v1.4.14 on Wed Aug 28 12:29:03 2013
*nat
:PREROUTING ACCEPT [107:6554]
:POSTROUTING ACCEPT [255:16686]
:OUTPUT ACCEPT [255:16686]
COMMIT
# Completed on Wed Aug 28 12:29:03 2013
# Generated by iptables-save v1.4.14 on Wed Aug 28 12:29:03 2013
*mangle
:PREROUTING ACCEPT [331366:467920887]
:INPUT ACCEPT [331366:467920887]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [186183:29298635]
:POSTROUTING ACCEPT [186183:29298635]
COMMIT
# Completed on Wed Aug 28 12:29:03 2013
# Generated by iptables-save v1.4.14 on Wed Aug 28 12:29:03 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [828:98044]
[0:0] -A INPUT -i lo -j ACCEPT
[1597:115560] -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
[5:272] -A INPUT -j DROP
COMMIT
# Completed on Wed Aug 28 12:29:03 2013
BOOTING AND SHUTTING DOWN AND DEALING WITH CONFIG
##################################################
Since network in debian is started with /etc/network/interfaces we can edit that file with directives like this:
pre-up iptables-restore < /etc/iptables.rules
post-down iptables-save > /etc/iptables.rules
OR to save with counters:
pre-up iptables-restore -c < /etc/iptables.rules
post-down iptables-save -c > /etc/iptables.rules
BEST WAY – BOOTING AND SHUTTING DOWN AND DEALING WITH CONFIG
###################################################################
OR EVEN BETTER (which applies to all interfaces):
Just put scripts in “/etc/network/if-pre-up.d” and also “/etc/network/if-post-down.d”, just make sure to make em executable.
AUTO START – need to restore with counters:
============================================
echo “iptables-restore -c < /etc/iptables.rules” > /etc/network/if-pre-up.d/my-iptables-restore.sh
chmod +x /etc/network/if-pre-up.d/my-iptables-restore.sh
AUTO TURN OFF – need to save with counters:
=============================================
echo “iptables-save -c > /etc/iptables.rules” > /etc/network/if-post-down.d/my-iptables-save.sh
chmod +x /etc/network/if-post-down.d/my-iptables-save.sh
CONFIRM THEY ARE CORRECT:
=========================
cd /etc/network
# find -iname “*ip*” -exec echo {} \; -exec cat {} \;
OUTPUT SHOULD BE:
./if-post-down.d/my-iptables-save.sh
iptables-save -c > /etc/iptables.rules
./if-pre-up.d/my-iptables-restore.sh
iptables-restore -c < /etc/iptables.rules
TESTING
========
HOW TO TEST IF WORKS – JUST REBOOT AND SEE IF THEY ACTIVATED ALSO CHECK IF THE DATES UPDATES IN THE CONFIG FILE
grep -i “generated by” /etc/iptables.rules
BEFORE REBOOT OUTPUT IS
# grep -i “generated by” /etc/iptables.rules
# Generated by iptables-save v1.4.14 on Wed Aug 28 12:07:08 2013
# Generated by iptables-save v1.4.14 on Wed Aug 28 12:07:08 2013
# Generated by iptables-save v1.4.14 on Wed Aug 28 12:07:08 2013
REBOOT
# shutdown -r now
AFTER REBOOT OUTPUT IS
If you want to log it, you can add the following lines to the bottom of each.
./if-post-down.d/my-iptables-save.sh
————————————
iptables-save -c > /etc/iptables.rules
echo “Last save ::: `date`” >> /root/my-iptables.log
./if-pre-up.d/my-iptables-restore.sh
—————————————
iptables-restore -c < /etc/iptables.rules
echo “Last Restore ::: `date`” >> /root/my-iptables.log
TROUBLESHOOTING NOT SAVING AND RESTORING
###########################################
–in my case the above didnt work because the /etc/network/if*d scripts were not running. Im sure I can make it so they run appropriately but I did it another way (less recommended way :/ – because Im about to change a default system file oh well this is linux this is what its all about)
If the above didnt work and its not running those scripts on reboots (you would know based on if the my-iptables.log file exists or has new enteries)
If the above didnt work You can put those commands in the start case and stop case of one of the scripts that you see start and stop with different runlevels (make sure you see a stop script in the rc0 and rc6 location, for halt and reboot respectively – so you can run it on reboots and shutdowns) For me the networking script /etc/init.d/networking was ran at rcS.d with an start case because of the S## prefix, and that script was stopped on halt/reboots becauase it had a K## prefix for rc0.d and rc6.d. rcS meaning those are all the start up scripts, and rc0 and rc6 meaning halt and reboot scripts respectively. For more info on that research runlevels for debian or whatever system you have – hopefully debian or a similar system that has /etc/init.d/
Just find the start case and add the 4 lines below that start and end with ###
…alot of code above…
start)
### MY CHANGE – iptables:
iptables-restore -c < /etc/iptables.rules
echo “Last Restore ::: `date`” >> /root/my-iptables.log
### END OF CHANGE
…rest of the code…
stop)
### MY CHANGE – iptables:
iptables-save -c > /etc/iptables.rules
echo “Last save ::: `date`” >> /root/my-iptables.log
### END OF CHANGE
..rest of the code…
Anyhow after that I initiated a reboot and it all worked
TO WATCH IPTABLES COUNTERS
#########################
watch -n 0 “iptables -nvL”
while true; do iptables -nvL; sleep 1; done
OR see the differences with watch:
watch -n0 -d “iptables -nvL”
OR to see differences:
watch -n0 “(iptables -nvL > /tmp/now123); (diff -U0 /tmp/prev123 /tmp/now123 > /tmp/diff); (cat /tmp/diff); (mv -f /tmp/now123 /tmp/prev123);”
while true; do iptables -nvL > /tmp/now123; diff -U0 /tmp/prev123 /tmp/now123 > /tmp/diff; clear; cat /tmp/diff; mv -f /tmp/now123 /tmp/prev123; sleep 1; done
TO ALLOW EVERYONE (CLEAR EVERYTHING)
######################################
-X deletes userdef chains, -F delets all rules back to normal INPUT FORWARD OUTBOUND ACCEPT, and the last lines are just to ensure those go to ACCEPTS (just incase)
echo “Stopping firewall and allowing everyone…”
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT