So in my last blog post I promised that I would talk about iptables, and basically I have been a little lax in getting started with configuring the IPTables rules on the new servers I have set up. Now I mentioned that IPTables is quite powerful, and it can be if configured to be so, but I am using it as a basic firewall, so that should I accidental configure a service to listen on an external port it shan't be able too. On top of this I am going to set the rules up such that the three default chains drop packets that don't match any rules, meaning I am using them as first match allows the flow firewall, with a default drop.
Again we must plan our rules out, what do we want to allow in, can be configured, in essence, at each stage we decide what to allow the server to do. But what we allow out, well there are some basics that we must consider.
This is a debian server, using http deb repos, sp we need to allow http traffic, https traffic could be handy too, and as a mail server we need to allow port 25 outbound. But all of these need to know what IP address to connect to so first we need to allow DNS.
This combined gives us a set of starting rules
iptables -A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT ip6tables -A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT ip6tables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT ip6tables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT ip6tables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT ip6tables -A OUTPUT -o eth0 -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT ip6tables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT ip6tables -A OUTPUT -o eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT ip6tables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
This starts by allowing any established connections, inbound or out to continue, then we allow icmp echo responses and any traffic for the loopback interface. After that we add the rules discussed, and finally allow ssh inbound connections, after all that is how we are managing the server.
Once those are configured we just save the rules to the persistence files at /etc/iptables/rules.v4 and /etc/iptables/rules.v6 and they will persist across reboots.
Next time I shall discuss how I'm going to get the ssl certs I want from letsencrypt.org and hopefully that will be less rushed.