Difference between revisions of "Iptables"

From MineOS Wiki
Jump to navigation Jump to search
 
(36 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
iptables is the standard firewall software. The syntax is a little bit difficult, but luckily, lots of it can be reproduced very easily since the firewall behavior is very similar for each port.  iptables is installed by default with the following rules, but you must use these steps to manually add any other different ports (at least the add and save functions).
 
iptables is the standard firewall software. The syntax is a little bit difficult, but luckily, lots of it can be reproduced very easily since the firewall behavior is very similar for each port.  iptables is installed by default with the following rules, but you must use these steps to manually add any other different ports (at least the add and save functions).
 +
 +
MineOS Turnkey comes with 22 (ssh), 8443 (webui) and 25565 (default minecraft) open by default.  Any additional ports (for additional servers or alternative ports) ''must be opened up manually''.  Only MineOS Turnkey can be released with pre-configured firewalls; other distributions (such as Ubuntu, CentOS, etc.) typically operate '''unsecured''' upon fresh installation (no rules in place); it is recommended to then add these rules to secure the server.
 +
 +
= Establishing iptables rules =
  
 
== Checking iptables rules ==
 
== Checking iptables rules ==
  
<nowiki>
+
Your actual rules may differ slightly.
# iptables --list
+
 
 +
{{executeasroot
 +
| commands = iptables --list}}
 +
 
 +
 
 +
<syntaxhighlight lang="bash">
 +
 
 
Chain INPUT (policy DROP)
 
Chain INPUT (policy DROP)
 
target    prot opt source              destination
 
target    prot opt source              destination
 
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ssh
 
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ssh
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:http
+
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:8080
 +
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:25565
  
 
Chain FORWARD (policy ACCEPT)
 
Chain FORWARD (policy ACCEPT)
Line 16: Line 27:
 
target    prot opt source              destination
 
target    prot opt source              destination
  
</nowiki>
+
</syntaxhighlight>
 
 
== Adding iptables-rules ==
 
  
By default, the policy is to ACCEPT all input, output, and forward packets. This is the fully unsecured state.
+
== Default iptables-rules ==
  
The proper way to secure a server is to lock out ALL inbound contact, and add only that which you need.  
+
A not-yet configured iptables policy is to ACCEPT all input, output, and forward packets. This is an unsecured state. The proper way to secure a server is to lock out ALL inbound contact, and individually add only that which you need. I have determined the following rules to be useful for all MineOS deployments. You should review each port to see if this is the case.
  
 
<small>Note: if you are completing this step via PuTTY, it is essential you 'ACCEPT' ssh before you change the default policy to 'DROP'. The order these are listed in is significant.</small>
 
<small>Note: if you are completing this step via PuTTY, it is essential you 'ACCEPT' ssh before you change the default policy to 'DROP'. The order these are listed in is significant.</small>
Line 48: Line 57:
 
| Allow SSH inbound
 
| Allow SSH inbound
 
|-
 
|-
| <tt>iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT</tt>
+
| <tt>iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT</tt>
 
| matched
 
| matched
 
| unaffected
 
| unaffected
| 80 (HTTP)
+
| 8080
 
| ACCEPT
 
| ACCEPT
| Allow HTTP inbound
+
| Allow webui on HTTPS (python webui only)
 
|-
 
|-
| <tt>iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT</tt>
+
| <tt>iptables -A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT</tt>
 
| matched
 
| matched
 
| unaffected
 
| unaffected
| 443 (HTTPS)
+
| 8443
 
| ACCEPT
 
| ACCEPT
| Allow HTTPS inbound
+
| Allow webui on HTTPS (nodes webui only)
 
|-
 
|-
 
| <tt>iptables -A INPUT -p tcp -m tcp --dport 25565 -j ACCEPT</tt>
 
| <tt>iptables -A INPUT -p tcp -m tcp --dport 25565 -j ACCEPT</tt>
Line 82: Line 91:
 
| DROP
 
| DROP
 
| All unmatched packets are dropped (policy change)
 
| All unmatched packets are dropped (policy change)
 +
|}
 +
 +
= Modifying iptables rules =
 +
 +
== Adding iptables-rules ==
  
|}
+
The above listed rules are applied '''by default'''. Most of the time you will only need to add additional rules and commit them to disk.  For example, to open up an additional Minecraft server port, you might type:
 +
 
 +
{{executeasroot
 +
| commands = iptables -A INPUT -p tcp -m tcp --dport 25570 -j ACCEPT}}
 +
 
 +
You can then test the connectivity, and if all works as expected, save iptables-rules.
 +
 
 +
 
 +
== Deleting iptables-rules ==
 +
 
 +
Removing individual rules can be done by replacing the <tt>-A</tt> (append) with <tt>-D</tt> (delete).
 +
 
 +
{{executeasroot
 +
| commands = iptables -D INPUT -p tcp -m tcp --dport 25570 -j ACCEPT }}
 +
 
 +
Alternatively, you can list each of the rules by number using <tt>--line-numbers</tt> and remove it by its number <tt>iptables -D INPUT 5</tt>:
 +
 
 +
{{executeasroot
 +
| commands = iptables --list --line-numbers }}
 +
 
 +
<pre>root@mineos ~# iptables --list --line-numbers
 +
Chain INPUT (policy DROP)
 +
num  target    prot opt source              destination
 +
1    ACCEPT    all  --  anywhere            anywhere
 +
2    ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ssh
 +
3    ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:8443
 +
4    ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:25565
 +
5    ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:25566
 +
6    ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
 +
root@mineos ~# iptables -D INPUT 5
 +
root@mineos ~# iptables --list --line-numbers
 +
Chain INPUT (policy DROP)
 +
num  target    prot opt source              destination
 +
1    ACCEPT    all  --  anywhere            anywhere
 +
2    ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ssh
 +
3    ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:8443
 +
4    ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:25565
 +
5    ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
 +
</pre>
 +
 
 +
= Making changes permanent =
  
 
== Saving iptables-rules ==
 
== Saving iptables-rules ==
Once you have a working set of rules you are happy with, you will want to save them, to ensure they persist through reboots.  
+
Once you have a working set of rules you are happy with, save them to ensure they persist through reboots.  
  
<tt>iptables-save > /etc/iptables-rules</tt>
+
{{executeasroot
 +
| commands = iptables-save > /etc/iptables-rules}}
  
 
== Applying saved rules ==
 
== Applying saved rules ==
To apply the set of rules saved from the above step, execute the following line:
+
To apply the set of rules generated by iptables-save, execute the following line:
  
<tt>iptables-restore < /etc/iptables-rules</tt>
+
{{executeasroot
 +
| commands = iptables-restore < /etc/iptables-rules}}
  
 
== Applying rules on startup ==
 
== Applying rules on startup ==
Line 101: Line 157:
 
# Add <tt>iptables-restore < /etc/iptables-rules</tt>
 
# Add <tt>iptables-restore < /etc/iptables-rules</tt>
 
# Save and quit; reboot
 
# Save and quit; reboot
 +
 +
== Permitting all traffic ==
 +
Permitting all traffic by turning off all firewall rules is ''not advised'', but is sometimes useful temporarily in order to better troubleshoot an issue, such as starting Minecraft servers on non-standard ports or using any addons (such as connecting through MySQL remotely or voip apps). These steps are temporary and will be reverted on server reboot:
 +
 +
# Accept all traffic by default
 +
# Flush all existing rules
 +
 +
{{executeasroot
 +
| commands = iptables -P INPUT ACCEPT
 +
iptables -F}}
 +
 +
[[Category:Securing]]
 +
[[Category:Connectivity]]

Latest revision as of 15:08, 28 April 2017

iptables is the standard firewall software. The syntax is a little bit difficult, but luckily, lots of it can be reproduced very easily since the firewall behavior is very similar for each port. iptables is installed by default with the following rules, but you must use these steps to manually add any other different ports (at least the add and save functions).

MineOS Turnkey comes with 22 (ssh), 8443 (webui) and 25565 (default minecraft) open by default. Any additional ports (for additional servers or alternative ports) must be opened up manually. Only MineOS Turnkey can be released with pre-configured firewalls; other distributions (such as Ubuntu, CentOS, etc.) typically operate unsecured upon fresh installation (no rules in place); it is recommended to then add these rules to secure the server.

Establishing iptables rules

Checking iptables rules

Your actual rules may differ slightly.


<syntaxhighlight lang="bash">

Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:8080 ACCEPT tcp -- anywhere anywhere tcp dpt:25565

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

</syntaxhighlight>

Default iptables-rules

A not-yet configured iptables policy is to ACCEPT all input, output, and forward packets. This is an unsecured state. The proper way to secure a server is to lock out ALL inbound contact, and individually add only that which you need. I have determined the following rules to be useful for all MineOS deployments. You should review each port to see if this is the case.

Note: if you are completing this step via PuTTY, it is essential you 'ACCEPT' ssh before you change the default policy to 'DROP'. The order these are listed in is significant.

command inbound outbound port action behavior
iptables -P INPUT ACCEPT matched unaffected * ACCEPT All unmatched packets are ACCEPTED (policy change)
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT matched unaffected 22 (SSH) ACCEPT Allow SSH inbound
iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT matched unaffected 8080 ACCEPT Allow webui on HTTPS (python webui only)
iptables -A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT matched unaffected 8443 ACCEPT Allow webui on HTTPS (nodes webui only)
iptables -A INPUT -p tcp -m tcp --dport 25565 -j ACCEPT matched unaffected 25565 ACCEPT Allow MC clients inbound
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT matched unaffected * ACCEPT Permit packets in to firewall itself that are part of existing and related connections.
iptables -P INPUT DROP matched unaffected * DROP All unmatched packets are dropped (policy change)

Modifying iptables rules

Adding iptables-rules

The above listed rules are applied by default. Most of the time you will only need to add additional rules and commit them to disk. For example, to open up an additional Minecraft server port, you might type:

You can then test the connectivity, and if all works as expected, save iptables-rules.


Deleting iptables-rules

Removing individual rules can be done by replacing the -A (append) with -D (delete).

Alternatively, you can list each of the rules by number using --line-numbers and remove it by its number iptables -D INPUT 5:

root@mineos ~# iptables --list --line-numbers
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8443
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:25565
5    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:25566
6    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
root@mineos ~# iptables -D INPUT 5
root@mineos ~# iptables --list --line-numbers
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8443
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:25565
5    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Making changes permanent

Saving iptables-rules

Once you have a working set of rules you are happy with, save them to ensure they persist through reboots.

Applying saved rules

To apply the set of rules generated by iptables-save, execute the following line:

Applying rules on startup

/etc/rc.local is the boot-up script. Any user-specified commands may be entered here, such as iptables. iptables is already autostarted by default.

  1. vi /etc/rc.local
  2. Add iptables-restore < /etc/iptables-rules
  3. Save and quit; reboot

Permitting all traffic

Permitting all traffic by turning off all firewall rules is not advised, but is sometimes useful temporarily in order to better troubleshoot an issue, such as starting Minecraft servers on non-standard ports or using any addons (such as connecting through MySQL remotely or voip apps). These steps are temporary and will be reverted on server reboot:

  1. Accept all traffic by default
  2. Flush all existing rules