Iptables For Securing Webservers

Published:2021-01-20
Share:

Iptables and ip6tables used to build firewall on linux servers, in this article we'll go over some rules that could help securing your webserver by restricting internet traffic to your server, if you're looking for openbsd pf  then you may check openbsd pf rules for webservers.

 
 

Whats iptables?

Is a collection of tables which contains chains in which we define rules for incoming/outgoing traffic, each rule checked one by one within a certain chain till a match found and the action specified by the rule applied, so its first rule match win, iptables is for filtering ipv4 addresses while ip6tables is for ipv6 addresses.
 

iptables vs pf?

For brief comparison between openbsd pf and iptables,  please refer to the how pf differs from iptables?.

 

Careful not be blocked

iptables syntax can be complex and hard to read, however there are some frontend programs that making designing and applying your netfilter(iptables/ip6tables) easier. Generally if your  rules are a few/simple then you don't need any frontend, and you need to learn iptables syntax anyway :P

 

NetFilter Rules

In order to filter internet traffic we need to have two sets of rules for each of the following:

  • ipv4 addresses, managed by commands iptables, iptables-restore.
  • ipv6 addresses, managed by commands ip6tables, ip6tables-restore.

We'll assume that internal interfaces named lo and the external interface named eth0 for simplicity.

 

Iptables Rules 

We will save our ipv4 rules in  /etc/ip4tables.rules

  1. Add default policy to drop all traffic without any notice to the clients
    *filter
    :INPUT DROP
    :OUTPUT ACCEPT
    :FORWARD DROP
  2. Allow internal traffic within our server on lo interface
    -A INPUT -i lo -s 127.0.0.1/8 -d 127.0.0.1/8 -j ACCEPT
  3. Allow established and any connection related to already allowed connection to pass
    -A INPUT -i eth0 -m state --state established,related -j ACCEPT
  4. Drop Mal-Formed connections
    -A INPUT -f -j DROP
    -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
  5. Allow incoming mail to pass on port 25
    -A INPUT -i eth0 -p tcp -m tcp --dport 25
  6. Allow incoming web traffic to pass on ports 80,443
    -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 
  7. Allow SSH connection to pass on port 22
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 
  8. Finally, Log all other blocked traffic but lmit logging to 7 entries in a minute.
    -A INPUT -m limit --limit 7/min -j LOG --log-prefix "iptables dropped: " --log-level 7
  9. Log icmp traffic, for information only, you may like to allow it, but I don't :)
    -A INPUT -p icmp -m limit --limit 7/min -j LOG --log-prefix "iptables dropped-icmp: " --log-level 7
  10. The whole file may look like the following:
    *filter
    :INPUT DROP
    :OUTPUT ACCEPT
    :FORWARD DROP
    
    
    -A INPUT -i lo -s localhost -d localhost -j ACCEPT
    
    -A INPUT -i eth0 -m state --state established,related -j ACCEPT
    
    -A INPUT -f -j DROP
    -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    
    
    -A INPUT -i eth0 -p tcp -m tcp --dport 25
    -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 
    
    
    -A INPUT -m limit --limit 7/min -j LOG --log-prefix "iptables dropped: " --log-level 7
    -A INPUT -p icmp -m limit --limit 7/min -j LOG --log-prefix "iptables dropped-icmp: " --log-level 7
Ok done with /etc/ip4tables.rules , so save and exit

 

 

Ip6tables Rules 

We will save our ipv4 rules in  /etc/ip6tables.rules

  1. Add default policy to drop all traffic without any notice to the clients
    *filter
    :INPUT DROP
    :OUTPUT ACCEPT
    :FORWARD DROP
  2. Allow internal traffic within our server on lo interface
    -A INPUT -i lo -s localhost -d localhost -j ACCEPT
  3. Allow established and any connection related to already allowed connection to pass
    -A INPUT -i eth0 -m state --state established,related -j ACCEPT
  4. Drop Mal-Formed connections
    -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
  5. Allow incoming mail to pass on port 25
    -A INPUT -i eth0 -p tcp -m tcp --dport 25
  6. Allow incoming web traffic to pass on ports 80,443
    -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 
  7. Allow SSH connection to pass on port 22
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 
  8. Finally, Log all other blocked traffic but lmit logging to 7 entries in a minute.
    -A INPUT -m limit --limit 7/min -j LOG --log-prefix "ip6tables dropped: " --log-level 7
  9. Log icmp traffic, for information only, you may like to allow it, but I don't :)
    -A INPUT -p icmp -m limit --limit 7/min -j LOG --log-prefix "ip6tables dropped-icmp: " --log-level 7
  10. Th whole file may look like the following:
    *filter
    :INPUT DROP
    :OUTPUT ACCEPT
    :FORWARD DROP
    
    
    -A INPUT -i lo -s localhost -d localhost -j ACCEPT
    
    -A INPUT -i eth0 -m state --state established,related -j ACCEPT
    
    
    -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    
    
    -A INPUT -i eth0 -p tcp -m tcp --dport 25
    -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 
    
    
    -A INPUT -m limit --limit 7/min -j LOG --log-prefix "ip6tables dropped: " --log-level 7
    -A INPUT -p icmp -m limit --limit 7/min -j LOG --log-prefix "ip6tables dropped-icmp: " --log-level 7
Ok done with /etc/ip6tables.rules , so save and exit

 

Automatic Apply Rules

- To make our rules applied automatically whenever the network brought up, we create /etc/network/if-up.d/netfilter with following content:

#! /bin/sh -e

RULES4=/etc/ip4tables.rules
RULES6=/etc/ip6tables.rules

if [ -r $RULES4 ]; then
  iptables-restore < $RULES4 && echo "[SUCCESS] iptables reloaded"
fi


if [ -r $RULES6 ]; then
  ip6tables-restore < $RULES6 && echo "[SUCCESS] ip6tables reloaded"
fi

exit 0
- Make sure its executable
chmod a+rx /etc/network/if-up.d/netfilter

 

Thats it

you can now call /etc/network/if-up.d/netfilter to apply new rules, and whenever your network brought up rules will applied automatically.

Read also

Openbsd Pf Rules For Webservers

OpenBSD pf make a magnificent job to simplifing packet filtering for writing network packet filters ( aka firewalls ), its quite powerful and it''s syntax looks very natural. In this article We''ll learn how to secure a web server with openbsd pf, if you look for firewall for linux then check iptables  iptables for securing webservers .     Whats Openbsd PF? Openbsd pf is network packets filtering pseudo device /dev/pf , which enables programs to allow/disallow pac...

Debian Router - Iptables And Sysctl.Conf Configuration

Tody we''ll finish configuring our awesome router, in the previous article we''d configured squid proxy, in this article we''ll pass all LAN traffic through squid using iptables.    In this debian router articles series also: Introduction . Hardware Requirements . Software installation . Basic Setup . /etc/network/Interfaces Configuration . Unbound dns server setup . DHCP server setup .  Squid setup .  Final step iptables a...

Debian Router - Squid Setup

We''ve configured the dhcp server , so what''s for today?! Today we''ll configure Squid for caching web traffic and access control.     In this debian router articles series also: Introduction . Hardware Requirements . Software installation . Basic Setup . /etc/network/Interfaces Configuration . Unbound dns server setup . DHCP server setup .  Squid setup . ( We are Here! ) Final step iptables and sysctl.conf configuration ...

Using Linux Debian As Router Setup

In this articles series you will learn how to setup Linux (Debian) as a Router for home/business local networks, to spice things I''ll show how to add dns server, proxy/web caching server, and basic web traffic filter to our cute debian box.   In this series I''ll go over: Introduction . Hardware Requirements . Software installation . Basic Setup . /etc/network/Interfaces Configuration . Unbound dns server setup . DHCP server setup . Squid setup. ...

Debian Router - Network Interfaces Configuration

In preparation of using debian as a router, We''ll configure network interfaces, after performing initial setup .     In this debian router articles series also: Introduction . Hardware Requirements . Software installation . Basic Setup . /etc/network/Interfaces Configuration. ( We are Here! ) Unbound dns server setup . DHCP server setup . Squid setup. Final step iptables and sysctl.conf configuration .   We''ll modify ...