Email This List Email This List Print This List Print This List

Cre­at­ing a Fire­wall

Cre­at­ing a Fire­wall

Now it’s time to set up a fire­wall to lim­it and block unwanted inbound traffic to your serv­er. This step is option­al, but we strongly recom­mend that you use the example below to block traffic to ports that are not com­monly used. It’s a good way to deter would-be intruders! You can always modi­fy the rules or dis­able the fire­wall later.

New­er ver­sions of Cen­tOS and Fedora ship with fire­walld con­figured as the default fire­wall. The fire­walld pack­age adds some addi­tion­al enter­prise-focused func­tion­al­ity to ipt­ables that will not be covered in this guide. For ref­er­ence, doc­u­ment­a­tion for con­fig­ur­ing fire­walld can be found at Red Hat’s Cus­tom­er Portal.

Here’s how to cre­ate a fire­wall on your serv­er:

  1. Check your serv­ers default fire­wall rules by enter­ing the fol­low­ing com­mand:
    1
    sudo iptables -L
    
  2. Exam­ine the out­put. If you haven’t imple­men­ted any fire­wall rules yet, you should see anempty rule­set, as shown below:
    1
    2
    3
    4
    5
    6
    7
    8
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
  3. Cre­ate a file to hold your fire­wall rules by enter­ing the fol­low­ing com­mand:
    1
    sudo nano /etc/iptables.firewall.rules
    
  4. Now it’s time to cre­ate some fire­wall rules. We’ve cre­ated some basic rules to get you star­ted. Copy and paste the rules shown below in to the iptables.firewall.rules file you just cre­ated.
    Please note that this draft does NOT allow FTP access. Here is what you will need to include to allow this:
    Please note that this will also only allow ACTIVE mode FTP. You will need to allow port 20 to use PASSIVE mode. 
    # Allow FTP con­nec­tions
    1
    # Allow FTP connections
    -A INPUT -p tcp --dport 21 -j ACCEPT
    /etc/iptables.firewall.rules
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    *filter
    
    #  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
    -A INPUT -i lo -j ACCEPT
    -A INPUT -d 127.0.0.0/8 -j REJECT
    
    #  Accept all established inbound connections
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    #  Allow all outbound traffic - you can modify this to only allow certain traffic
    -A OUTPUT -j ACCEPT
    
    #  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
    -A INPUT -p tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp --dport 443 -j ACCEPT
    
    #  Allow SSH connections
    #
    #  The -dport number should be the same port number you set in sshd_config
    #
    -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
    
    #  Allow ping
    -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    
    #  Log iptables denied calls
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
    
    #  Drop all other inbound - default deny unless explicitly allowed policy
    -A INPUT -j DROP
    -A FORWARD -j DROP
    
    COMMIT
    
  5. Edit the rules as neces­sary. By default, the rules will allow traffic to the fol­low­ing ser­vices and ports: HTTP (80), HTTPS (443), SSH (22), and ping. All oth­er ports will be blocked.

    Be sure to revise these rules if you add new ser­vices later.

  6. Option­al:  Stop to check what else you need to author­ise, SQL? FTP?

    Save the changes to the fire­wall rules file by press­ing Control‑X, and then Y.

  7. Activ­ate the fire­wall rules by enter­ing the fol­low­ing com­mand:
    1
    sudo iptables-restore < /etc/iptables.firewall.rules
    
  8. Recheck your serv­ers fire­wall rules by enter­ing the fol­low­ing com­mand:
    1
    sudo iptables -L
    
  9. Exam­ine the out­put. The new rule­set should look like the one shown below:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
       Chain INPUT (policy ACCEPT)
       target     prot opt source               destination
       ACCEPT     all  --  anywhere             anywhere
       REJECT     all  --  anywhere             127.0.0.0/8          reject-with icmp-port-unreachable
       ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
       ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
       ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
       ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
       ACCEPT     icmp --  anywhere             anywhere
       LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
       DROP       all  --  anywhere             anywhere
    
       Chain FORWARD (policy ACCEPT)
       target     prot opt source               destination
       DROP       all  --  anywhere             anywhere
    
       Chain OUTPUT (policy ACCEPT)
       target     prot opt source               destination
       ACCEPT     all  --  anywhere             anywhere  
    
  10. Now you need to ensure that the fire­wall rules are activ­ated every time you restart your serv­er.
    1. Debian/​Ubuntu Users:Start by cre­at­ing a new script with the fol­low­ing com­mand:
      1
      sudo nano /etc/network/if-pre-up.d/firewall
      

      Copy and paste the fol­low­ing lines in to the file you just cre­ated:

      /etc/network/if-pre-up.d/firewall
      1
      2
      #!/bin/sh
      /sbin/iptables-restore < /etc/iptables.firewall.rules
      

      Press Control‑X and then press Y to save the script. Set the script’s per­mis­sions by enter­ing the fol­low­ing com­mand:

      1
      sudo chmod +x /etc/network/if-pre-up.d/firewall
      

      CentOS/​Fedora users:

      If you are using Cen­tOS 6.2 or 6.5, save your cur­rent ipt­ables rules with the fol­low­ing com­mand:

      1
      /sbin/service iptables save
      

      If you are using Cen­tOS 7 or Fedora 20, the base image does not include ipt­ables-ser­vices. You will need to install it before your fire­wall is per­sist­ent through boots:

      1
      2
      3
      yum install -y iptables-services
      systemctl enable iptables
      systemctl start iptables
      

      To save your cur­rent rule set use the fol­low­ing com­mand

      1
      /usr/libexec/iptables/iptables.init save
      

    That’s it! Your fire­wall rules are in place and pro­tect­ing your serv­er. Remem­ber, you’ll need to edit the fire­wall rules later if you install oth­er soft­ware or ser­vices.

    Installing and Con­fig­ur­ing Fail2Ban

    Fail2Ban is an applic­a­tion that pre­vents dic­tion­ary attacks on your serv­er. When Fail2Ban detects mul­tiple failed login attempts from the same IP address, it cre­ates tem­por­ary fire­wall rules that block traffic from the attacker’s IP address. Attemp­ted logins can be mon­itored on a vari­ety of pro­to­cols, includ­ing SSH, HTTP, and SMTP. By default, Fail2Ban mon­it­ors SSH only.

    Here’s how to install and con­fig­ure Fail2Ban:

    1. Install Fail2Ban by enter­ing the fol­low­ing com­mand:Debian/​Ubuntu Users:
      1
      sudo apt-get install fail2ban
      

      Fedora Users:

      1
      sudo yum install fail2ban
      

      Cen­tOS Users:

      1
      2
      sudo yum install epel-release
      sudo yum install fail2ban
      
    2. Option­ally, you can over­ride the default Fail2Ban con­fig­ur­a­tion by cre­at­ing a new jail.localfile. Enter the fol­low­ing com­mand to cre­ate the file:
      1
      sudo nano /etc/fail2ban/jail.local
      

      To learn more about Fail2Ban con­fig­ur­a­tion options, see this art­icle on the Fail2Ban web­site.

    3. Set the bantime vari­able to spe­cify how long (in seconds) bans should last.
    4. Set the maxretry vari­able to spe­cify the default num­ber of tries a con­nec­tion may be attemp­ted before an attacker’s IP address is banned.
    5. Press Control-x and then press y to save the changes to the Fail2Ban con­fig­ur­a­tion file.
    6. Restart Fail2Ban by using sudo service fail2ban restart.

    Fail2Ban is now installed and run­ning on your serv­er. It will mon­it­or your log files for failed login attempts. After an IP address has exceeded the max­im­um num­ber of authen­tic­a­tion attempts, it will be blocked at the net­work level and the event will be logged in /var/log/fail2ban.log.

 

Related Post

admin has written 133 articles