Following on from my previous article on setting up a vps server running Ubuntu 8.04 I am now going to configure a simple firewall.
Linux uses a rules based firewall system known as iptables. To check your current rules use the following command.
sudo iptables -L
As it’s a new install we don’t have many rules, infact we are allowing pretty much everything. The output should look something like this.
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
As you can see there are three main sections; input, forward and output. For each section you can create rules that specify how you handle different kinds of traffic. As a general principle we want to block all ports and traffic that we don’t explicitly require. These ports will probably be blocked by default, but an extra layer of security can’t hurt. Using iptables directly can be complex as the syntax is not particularly intuitive, however there are several ‘frontends’ that can generate iptables rules using a much simpler syntax. I am going to use FireHOL but alternatives do exist.
sudo aptitude install firehol
There are two files we need to edit to configure our firewall.
nano /etc/default/firehol
Edit the line to enable firehol.
START_FIREHOL=YES
Now we need to create our firewall rules.
nano /etc/firehol/firehol.conf
Essentially we want to allow all outgoing connections but only allow incoming connections necessary for the services we want to run. Edit the file so it looks like this.
version 5
# Accept all client traffic on any interface
interface any world
protection strong
server custom ssh tcp/23456 default accept
server "icmp ping ICMP http" accept
client all accept
Change the port number for ssh to the one you set earlier. This will only allow incoming ssh and http connections (we will be setting up a webserver on this box) as well as ping and icmp. You can probably safely block these last two as well, but being able to ping and traceroute to your box can help to diagnose any problems you may have down the road. Opinions vary.
Now we have our rules we just need to start firehol.
sudo /etc/init.d/firehol start
You may get some warnings about not being able to detect kernel modules but they can be safely ignored. Here is a possible workaround if seeing the warnings offends you. Now if we check our iptables there should be much more to see.
sudo iptables -L
This is just a basic firewall configuration. There is much more you can do with iptables and firehol. In my next post I am going to show the steps to set up a webserver with nginx.
References:
http://howtoforge.com/setting-up-an-iptables-firewall-with-firehol-on-ubuntu
http://firehol.sourceforge.net/
bcdev.design.blog 