I recently re-built my personal web server and did a whole load of optimisations and server harding so I thought I’d document the installation of IPTables which made up one part.
IPTables is a well known Linux firewall, I’ve decided to use it on my server as it’s easily avaliable from the Ubuntu package repository…
Let’s start by installing it:-
apt-get install iptables
We’re going to create two files, /etc/iptables.test.rules and /etc/iptables.up.rules. The first is a temporary (test) set of rules and the second the ‘permanent’ set of rules (this is the one iptables will use when starting up after a reboot for example).
Note: that we are logged in as the root user. This is the only time we will log in as the root user. As such, if you are completing this step at a later date using the admin user, you will need to put a ’sudo’ in front of the commands.
Using the following command you can see what rules IPTables is currently using, try it now:-
iptables -L
You should see something simular to:-
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
So currently, as you can see from the your console output after running the IPTables ‘list’ command that your server is currently accepting ALL incoming connections.
I’ve made a ‘firewall rules’ file of which you can iptables_webserver_rules.
The rules currently only accept incoming connections on port 80 (standard web server), you can however uncomment the HTTPS connections line too to enable HTTPS incoming traffic if you wish. In addition to the HTTP traffic, I’ve also got a rule in there which enables traffic to SSH (currently on Port 22) but I’d recommend you change your SSH port!
You can either upload the file and rename to /etc/iptables.test.rules or simply create the file and then paste in the contents like so…
nano /etc/iptables.test.rules
The rules are very simple and it is not designed to give you the ultimate firewall. It is a simple beginning you may want to fine tune your rules and also limit outgoing connections to prevent against PHP hosting users that write PHP scripts that could potentially do nasty things (such as join a botnet etc.)
We can now apply these rules to the server like so:-
iptables-restore < /etc/iptables.test.rules
Now by running the IPTables ‘list’ command again you should now see the new settings taking effect:-
iptables -L
If you happy with how the rules look, we can now permantently save the rules to our ‘up’ file which we’ll shortly configure to be used at startup…
iptables-save > /etc/iptables.up.rules
Note: If you are using ‘sudo’ please ensure that you use this command instead (as otherwise you’ll get permission warnings despite prefixing the above command with sudo):
sudo iptables-save | sudo tee /etc/iptables.up.rules
Now we need to ensure that the IPTtables rules are applied when we reboot the server. At the moment, the changes will be lost and it will go back to allowing everything from everywhere.
Open the file /etc/network/interfaces like so:-
nano /etc/network/interfaces
Now add a single line (pre-up iptables-restore < /etc/iptables.up.rules) shown below after the ‘iface lo inet loopback’ line:
...
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.up.rules
# The primary network interface
...
Restart your server and your firewall should now be protecting your server! – Congratulations 🙂