Difference between revisions of "Iptables"

From MineOS
Jump to: navigation, search
(Saving iptables-rules)
(Applying saved rules)
Line 105: Line 105:
 
To apply the set of rules saved from the above step, execute the following line:
 
To apply the set of rules saved from the above step, execute the following line:
  
<syntaxhighlight lang="bash">
+
{{executeasroot
iptables-restore < /etc/iptables-rules
+
| commands = iptables-restore < /etc/iptables-rules}}
</syntaxhighlight>
+
  
 
== Applying rules on startup ==
 
== Applying rules on startup ==

Revision as of 23:32, 1 October 2011

iptables is the standard firewall software. The syntax is a little bit difficult, but luckily, lots of it can be reproduced very easily since the firewall behavior is very similar for each port. iptables is installed by default with the following rules, but you must use these steps to manually add any other different ports (at least the add and save functions).

Contents

Checking iptables rules

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Default iptables-rules

By default, the policy is to ACCEPT all input, output, and forward packets. This is the fully unsecured state.

The proper way to secure a server is to lock out ALL inbound contact, and add only that which you need.

Note: if you are completing this step via PuTTY, it is essential you 'ACCEPT' ssh before you change the default policy to 'DROP'. The order these are listed in is significant.

command inbound outbound port action behavior
iptables -P INPUT ACCEPT matched unaffected * ACCEPT All unmatched packets are ACCEPTED (policy change)
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT matched unaffected 22 (SSH) ACCEPT Allow SSH inbound
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT matched unaffected 80 (HTTP) ACCEPT Allow HTTP inbound
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT matched unaffected 443 (HTTPS) ACCEPT Allow HTTPS inbound
iptables -A INPUT -p tcp -m tcp --dport 25565 -j ACCEPT matched unaffected 25565 ACCEPT Allow MC clients inbound
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT matched unaffected * ACCEPT Permit packets in to firewall itself that are part of existing and related connections.
iptables -P INPUT DROP matched unaffected * DROP All unmatched packets are dropped (policy change)

Adding iptables-rules

The above listed rules are applied by default. Most of the time you will only need to add additional rules and committing them to disk. For example, to open up an additional Minecraft server port, you might type:

You can then test the connectivity, and if all works as expected, save iptables-rules.

Saving iptables-rules

Once you have a working set of rules you are happy with, you will want to save them, to ensure they persist through reboots.

Applying saved rules

To apply the set of rules saved from the above step, execute the following line:

Applying rules on startup

/etc/rc.local is the boot-up script. Any user-specified commands may be entered here, such as iptables. iptables is already autostarted by default.

  1. vi /etc/rc.local
  2. Add iptables-restore < /etc/iptables-rules
  3. Save and quit; reboot

Permitting all traffic

Permitting all traffic by turning off all firewall rules is not advised, but is sometimes useful temporarily in order to better troubleshoot an issue, such as starting Minecraft servers on non-standard ports or using any addons (such as connecting through MySQL remotely or voip apps). These steps are temporary and will be reverted on server reboot:

  1. Accept all traffic by default
  2. Flush all existing rules
iptables -P INPUT ACCEPT
iptables -F