Page 5 of 5 FirstFirst ... 345
Results 41 to 46 of 46

Thread: Will using iptables secure Ubuntu?

  1. #41
    Join Date
    Apr 2020
    Beans
    53

    Re: Will using iptables secure Ubuntu?

    Quote Originally Posted by SeijiSensei View Post
    I think you should drop the firewall for the time being until you are sure you can establish a tunnel between the two computers. Or else use a very simple firewall like
    Code:
    iptables -P INPUT -j DROP
    
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i tun+ -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -s your.local.ip.addr -j ACCEPT
    Replace "your.local.ip.addr" with the public address of the machine from which you are connecting. These rules let your machine communicate with the remote server and block all other traffic. You should be able to set up a tunnel between the two devices.
    hi, we only use it as a vpn server so no need anything fancy i guess, just secure.

    i do not notice there a ssh in the rules? will i be lockout from the vps after applying them?

    and last, in my earlier post, i meantion about using nmap to test if the vps is secure, could you give some advice on that? i would like to run a 'before' and 'after' and compare the results so i will know it is really secure.

    thank you,

  2. #42
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: Will using iptables secure Ubuntu?

    The last rule provides unrestricted access to your.local.ip.addr on all ports and using all protocols. So if you're using SSH from the machine with your.local.ip.addr then you'll be able to connect.

    You would need to run nmap from another, unrelated host on the Internet with a public IP. I'll tell you right now, with those firewalling rules, any other host will see nothing of interest.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  3. #43
    Join Date
    Apr 2020
    Beans
    53

    Re: Will using iptables secure Ubuntu?

    hi SeijiSensei, great news hv manage to make it work(hopefully as i could connect and use vpn now). read a post on howto troubleshoot iptables issue by using 'watch' and making sure its connecting and to which port then by following that i found an article on openvpn about firewall rules. first i read about adding tun+ as what you have advice, then tap+. then i thought why not. so i add tap+ and it works. so the issue is im using tap and thats why.

    am still playing and removing whats not need in there and will play with nmap afterwards.

    really confusing now as if adding tap to the iptables work, then server should be running tap, but in client ovpn file is 'dev tun' and when i change the ovpn file to 'dev tap' then it will disconnect after few seconds. any idea why and is it ok to use tap on server and tun on client? but i read that both has to be the same :/

    thank you very much
    Last edited by aboka; June 10th, 2020 at 10:21 AM.

  4. #44
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: Will using iptables secure Ubuntu?

    Can't help with tap/tun. Other than that one project I mentioned for a client, I've never used OpenVPN on Windows. My implementations have been static tunnels between machines running Linux, and all of them use tun.

    Glad you got it running.

    How did nmap go? I scanned 103.125.207.43 from one of my public servers and got nothing. Is that still the remote server's public IP address? If so, it doesn't show any exposures to nmap.

    Code:
    # ping 103.125.207.43
    
    PING 103.125.207.43 (103.125.207.43) 56(84) bytes of data.
    4 packets transmitted, 0 received, 100% packet loss, time 3674ms
    
    # nmap 103.125.207.43
    
    Starting Nmap 5.51 ( http://nmap.org ) at 2020-06-10 08:30 EDT
    Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
    Nmap done: 1 IP address (0 hosts up) scanned in 3.16 seconds
    
    # nmap -P0 103.125.207.43
    
    Starting Nmap 5.51 ( http://nmap.org ) at 2020-06-10 08:30 EDT
    Nmap scan report for 103.125.207.43
    Host is up.
    All 1000 scanned ports on 103.125.207.43 are filtered
    
    Nmap done: 1 IP address (1 host up) scanned in 201.51 seconds
    Last edited by SeijiSensei; June 10th, 2020 at 01:36 PM.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  5. #45
    Join Date
    Apr 2020
    Beans
    53

    Re: Will using iptables secure Ubuntu?

    Quote Originally Posted by SeijiSensei View Post
    Can't help with tap/tun. Other than that one project I mentioned for a client, I've never used OpenVPN on Windows. My implementations have been static tunnels between machines running Linux, and all of them use tun.

    Glad you got it running.

    How did nmap go? I scanned 103.125.207.43 from one of my public servers and got nothing. Is that still the remote server's public IP address? If so, it doesn't show any exposures to nmap.
    hi, thought of coming in here to edit my last post to stick with the original topic - 'securing vps with iptables' but you beats me to it

    yup, server still running on that IP and am connected to here with its vpn. so lets get back to our original questions-

    1) do we still need this rule at the end 'iptables -A INPUT -j DROP' since we already hv this at the top 'iptables -P INPUT DROP'?

    2) and could u pls let us know how you scan with the nmap(using built-in script etc?) and how do you know it is safe from the results? the scan i hv show

    p/s - we run nmap with the script download from github and some other found online, but we dont know howto interpret the results :/

    thank you,

  6. #46
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: Will using iptables secure Ubuntu?

    No, you don't need a -j DROP rule if the INPUT policy is DROP.

    I showed you the results of the scans. If there were open ports, it would say so. For instance, here's another machine I maintain:
    Code:
    # nmap xxx.example.com
    
    Starting Nmap 5.51 ( http://nmap.org ) at 2020-06-10 16:18 EDT
    Nmap scan report for xxx.example.com
    Host is up (0.032s latency).
    rDNS record for nnn.nnn.nnn.nnn: xxx.example.com
    Not shown: 997 filtered ports
    PORT    STATE SERVICE
    25/tcp  open  smtp
    80/tcp  open  http
    443/tcp open  https
    Because this host accepts pings, nmap doesn't complain about that. If the remote blocks pings, you can use the -P0 switch to turn off pinging.

    nmap scans 1000 ports by default. You can force it scan every port with
    Code:
    nmap -p 1-65554 server_name_or_ip
    Start this at night and come back in the morning.

    You need to run scans like these as the root user, e.g., "sudo nmap server_name_or_ip". Ordinary users can run ping scans, but nothing more interesting.

    I don't know what scripts you would need. nmap itself is a binary program. Install it with "sudo apt install nmap".
    Last edited by SeijiSensei; June 10th, 2020 at 09:30 PM.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

Page 5 of 5 FirstFirst ... 345

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •