Page 1 of 5 123 ... LastLast
Results 1 to 10 of 46

Thread: Will using iptables secure Ubuntu?

  1. #1
    Join Date
    Apr 2020
    Beans
    26

    Will using iptables secure Ubuntu?

    hi, just starting to learn Ubuntu and hv install the latest 20.04 on a vps along with Softether and everything is running fine.

    Will iptables help secure a vps? It should be able to help, since what i understand iptables is actually the firewall

    Where could we learn the basics like add/edit/delete iptables rules? hv read the help on ubuntu.com(and some others) but not too confident to try them out as might get lockout fr the vps if done something wrong :/

    p/s - just need to learn the basics setup like adding loopback, ssh, etc for the vps to run correctly beside adding some more rules for the vpnserver

    thank you,

  2. #2
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    15,029
    Distro
    Kubuntu 20.04 Focal Fossa

    Re: Will using iptables secure Ubuntu?

    First, out of the box, Ubuntu has no services that listen on ports. So it's largely invulnerable to most attacks.

    Does the machine present a publicly-visible interface? Does anyone other than you need to connect to it at all? If not, a really simple firewalling scheme would be
    Code:
    /sbin/iptables -P INPUT -j DROP
    /sbin/iptables -A INPUT -s your.local.ip.addr -d your.server.ip.addr -j ACCEPT
    The first line drops all incoming packets that don't match a rule. The second rule allows packets from your local machine at your.local.ip.addr.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  3. #3
    Join Date
    Apr 2020
    Beans
    26

    Re: Will using iptables secure Ubuntu?

    Quote Originally Posted by SeijiSensei View Post
    First, out of the box, Ubuntu has no services that listen on ports. So it's largely invulnerable to most attacks.

    Does the machine present a publicly-visible interface? Does anyone other than you need to connect to it at all? If not, a really simple firewalling scheme would be
    Code:
    /sbin/iptables -P INPUT -j DROP
    /sbin/iptables -A INPUT -s your.local.ip.addr -d your.server.ip.addr -j ACCEPT
    The first line drops all incoming packets that don't match a rule. The second rule allows packets from your local machine at your.local.ip.addr.

    hi, thanks for the reply. im the only one accessing the vps using ssh. here are the list of open ports utilize currently -
    1194 vpnserver
    5555 vpnserver
    443 vpnserver
    22 sshd
    53 dnsmasq

    do we need to add the loopback since i read lotsa program need that to work. and putting the 'drop all' at the top is ok?

    yeah, forget to mention, i already hv one entry fr the vpnserver installation -
    iptables -t nat -L
    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    SNAT all -- 192.168.7.0/24 anywhere to:103.125.207.43

    and lastly, my local ip is 192.168.7.1? i use dnsmasq to give out the ip address -
    ip -address
    inet 192.168.7.1/24 brd 192.168.7.255 scope global tap_soft

    regards,

  4. #4
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    15,029
    Distro
    Kubuntu 20.04 Focal Fossa

    Re: Will using iptables secure Ubuntu?

    First, about the localhost address. Yes, I forgot to exempt it in the rules above. It's easier to write a rule that exempts the "lo" interface like this:

    Code:
    /sbin/iptables -P INPUT -j DROP
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A INPUT -s your.local.ip.addr -d your.server.ip.addr -j ACCEPT
    "your.local.ip.addr" is not one in the private 192.168.7.0/24 network behind your router. It is your public IP address on the "WAN" side of your router. If you don't know what that is, you can visit whatismyip.com. While providers use DHCP to distribute addresses, meaning your address could change at any time, in practice many addresses remain functionally static. I've had the same public IP for months now.

    As I said, if you're the only one connecting to this server, then you need only exempt your address. However if you are supporting other people connecting to those ports, then you'd need specific rules.

    1194 is the default port for OpenVPN, but you have two other ports listed as well, 5555 and 443. OpenVPN should be listening on only one of those ports unless you have multiple VPN tunnels set up with other users. 443 is a bit surprising since it's the default for HTTPS connections. Are you running a webserver listening on that port? If you were, then you'd need another rule like
    Code:
    /sbin/iptables -A INPUT -p tcp -d your.server.ip.addr --dport 443 -j ACCEPT
    The SNAT masquerading rule doesn't enter into any of this. It just tells the machine to send all outbound traffic as if it were coming from 103.125.207.43.
    Last edited by SeijiSensei; 4 Weeks Ago at 09:21 PM.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  5. #5
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    20,148
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Will using iptables secure Ubuntu?

    Firewalls aren't the only part to running a secure system, thought they are extremely important.
    • Don't use passwords for authentication, use keys. Especially for ssh.
    • Don't run unnecessary services.
    • Don't allow the world access to any services they have no business using.
    • Stay patched.
    • Don't leave development or hacking tools on the system once it is used for production.
    • Have daily, automatic, versioned, backups that are stored on a different system. Backups have 1,001 uses, including a way to figure out what happened AFTER you get hacked.


    You are asking and doing all the right stuff so far. Be aware that firewall interfaces are changing on other distros, so iptables isn't the only interface into the Linux kernel firewall.

    i don't get why you'd run a DNS server on the internet. i've been hacked 3 times since 1993. One of those was via DNS in 2002. Since then, i pay someone else to run my DNS for public services and only use my DNS servers for internal use.
    Last edited by TheFu; 4 Weeks Ago at 08:22 PM.

  6. #6
    Join Date
    Apr 2020
    Beans
    26

    Re: Will using iptables secure Ubuntu?

    hi, am reading lotsa info online rgd this and i think i will write the rules base on that and your advice here tomorrow. will post back here before applying them on the vps

    p/s - will omit the lo(loopback) now and only add it if something not working. as first it wont lock me out, and second the rule is, the less the safer right?

    cheers,

  7. #7
    Join Date
    Apr 2020
    Beans
    26

    Re: Will using iptables secure Ubuntu?

    p/ss- Softether is using 4 ports by default 443, 992, 1194 & 5555. and 500 & 4500 if using L2TP, MS-SSTP etc. but i hv deleted 992 as read on couple sites saying it is'useless'

  8. #8
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    20,148
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Will using iptables secure Ubuntu?

    We usually don't abbreviate common words here that aren't common technical terms. Clarity is important.

    Be certain you know how to access the console on the VPS before doing too much with the firewall. Some people setup a "try mode" that enables the firewall for 5 minutes, then disables it. That provides the needed time to ensure it is working, but a way to get back in without console access if the rules are bad. Good habit to get into. After the initial setup, it is those "quick changes" next month where we humans can lock ourselves out. I've done it, but always ensure I have console access.

    I think you should always allow all lo traffic. Unix systems commonly use network sockets for IPC (interprocess communications), rather than using the other methods like shared memory. Any 127.x.x.x/8 should be allowed. You'll see 127.0.0.53 used or 127.1.53.1, these all resolve to "localhost", but provide effectively unlimited IPs and ports for local uses.

  9. #9
    Join Date
    Apr 2020
    Beans
    26

    Re: Will using iptables secure Ubuntu?

    Quote Originally Posted by TheFu View Post
    Firewalls aren't the only part to running a secure system, thought they are extremely important.
    • Don't use passwords for authentication, use keys. Especially for ssh.
    • Don't run unnecessary services.
    • Don't allow the world access to any services they have no business using.
    • Stay patched.
    • Don't leave development or hacking tools on the system once it is used for production.
    • Have daily, automatic, versioned, backups that are stored on a different system. Backups have 1,001 uses, including a way to figure out what happened AFTER you get hacked.


    You are asking and doing all the right stuff so far. Be aware that firewall interfaces are changing on other distros, so iptables isn't the only interface into the Linux kernel firewall.

    i don't get why you'd run a DNS server on the internet. i've been hacked 3 times since 1993. One of those was via DNS in 2002. Since then, i pay someone else to run my DNS for public services and only use my DNS servers for internal use.

    hi, the ultimate goal is to secure the whole vps, will do the rest of what you suggest after done with iptables.

    I suppose you are talking about the dnsmasq when you say 'dns server on the internet'? im also curios why it is exposed. I install all this by following an online guideand the the reason to install dnsmasq is for assigning IPs(as DHCP server) to the connected vpn users. What I understand, a DHCP server should be working offline inside the network and not expose to the WAN. So what do you think? Am i doing it wrong and is there a 'real dhcp server' that i could use?

    and you suggest we add the localhost to the iptables as a precaution right? how do we do that? like this-
    iptables -A INPUT -i 127.x.x.x/8 -j ACCEPT

    thank you,

  10. #10
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    20,148
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Will using iptables secure Ubuntu?

    Securing a server isn't just a checklist. It takes smarts to think about all the different attack methods possible and restrict access for any of those attacks for only the people who need access. There's always more that can be done. It takes many years to learn, decades to understand, longer to become an expert.

    I don't use iptables on my application servers enough to know the syntax off the top of my head. My network is protected using pf on BSD. I would guess that 127.x.x.x/8 should be 127.0.0.0/8. Most subnetting doesn't like letters.

    I segment my services onto different VMs and different containers where there is any chance of conflicting software stacks.

    Open ports as seen on the server are always different than open ports seen from outside. Plus, these days we need to check both IPv4 and IPv6 networking. In my networks, we still disable IPv6 for now. We aren't ready for it and don't have any driving need to switch, though some CAs have changed some things and our renewals seem to be having issues since we don't have IPv6 AAAA records.

Page 1 of 5 123 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •