Skip to content

Latest commit

 

History

History
93 lines (62 loc) · 5.38 KB

README.mkd

File metadata and controls

93 lines (62 loc) · 5.38 KB

iptables init

Build Status

Shell scripts to setup some basic iptables rules. Meant for dedicated servers and VPS where typically the place you bought it from opens up everything to that server.

Goals

  • drop in and run to have a working minimal config (note that the script may need tweaks if your server is running OpenVZ).
  • show that iptables isn't as scary or complicated as people may think
  • to support that, heavily comment the script to help understand why certain things are being done a certain way

Project layout

Aside from the usual files in base directory. The shell scripts are in subfolders to make it easy to add other custom ones at a later time. Curent folders and description:

Name Description
01_common Files you'd want in addition to others. Namely this is the reset script.
ipv4_basic_ingress Only permit some ingress traffic and allow all egress traffic. This is the original iptables-init. (IPv4 version)
ipv6_basic_ingress Only permit some ingress traffic and allow all egress traffic. This is the original iptables-init. (IPv6 version)

Initial setup

These are for the ipv4_basic_ingress rules which makes a good drop in if you want to quickly get the firewall going.

# Become root for these steps if you don't login to server as root
sudo su -
mkdir /root/iptables
cd /root/iptables
# These links can be obtained by viewing a file and then choose raw
# As of May 2014 these links are valid
wget https://raw.githubusercontent.com/vrillusions/iptables-init/master/01_common/iptables-reset.sh
wget https://raw.githubusercontent.com/vrillusions/iptables-init/master/ipv4_basic_ingress/iptables-init.sh
chmod 0700 iptables-reset.sh
chmod 0700 iptables-init.sh
  • Edit iptables-init.sh as needed (by default it allows ssh (TCP/22) and both http (TCP/80) and https (TCP/443). Also defaults may not work with some vps providers. See the file for more info.
  • Before running this make sure you have a way to recover, either the ability to power cycle the server or an admin console you can issue commands.
  • Run /root/iptables/iptables-init.sh
  • If nothing works and you get kicked from server, restart the system or via console run /root/iptables/iptables-reset.sh to get back in. Adjust settings and try again.
  • If it does work then you can mark it as verified
cp iptables-init.sh iptables-init-verified.sh
echo "/root/iptables/iptables-init-verified.sh >/dev/null" >>/etc/rc.local

You'll want to view /etc/rc.local and double check you don't see something like exit 0. You can either remove it or move that line back to the bottome of the script.

From that point on your work flow should be first edit the iptables-init.sh file. Then if after running that and are sure it works then copy it to iptables-init-verified.sh. In this way you should always be able to restart the system and have previous settings.

The above process is for just IPv4. For IPv6 use ipv6_basic_ingress. The process is the same other than the file is called ip6tables-init.sh. You can use iptables-reset.sh to reset both IPv4 and IPv6.

Monitoring firewall

As root, run iptables -nvL to get a list of all rules and their hit count.

By default any inbound traffic not handled by iptables is logged before being dropped. You can view this log by running dmesg as root. If you run dmesg -c it will print the kernel log and then clear it which makes it helpful to see what new log entries are being created. You can comment out that line if you don't care about logging everything (search for "-- log unhandled packets").

Configuration

By default it will:

  • allow incoming requests to TCP ports 80 and 443
  • allow TCP/22 for ssh with a limiter (8 attempts/min)
  • by default will allow all outgoing traffic and block all incoming
  • some things will be logging and can be read with dmesg

The file should be pretty self explanatory and be easy to add any more rules you need.

Troubleshooting

If the environment variable VERBOSE exists and is 'true' it will print additional messages while it's running. Additionally if there is a DEBUG that is 'true' it will print every line as it runs. Basically use VERBOSE if everything works but just want more info and DEBUG when things aren't working.

Origin

Gathered from far too many man pages and web sites to enumerate. This was also originally part of https://github.com/vrillusions/bash-scripts but split it off into it's own repo

TODO

  • Make more user friendly. Currently need to modify things all throughout the file. Should have some variables at the top.
  • Make ssh port one of those settings since a lot of people don't run it on a standard port
  • Check for an environment variable like IPTABLES_INIT_CONFIG and source that file
  • Create some sort of generator process so I can set all the rules in one spot and spit out both iptables and ip6tables lines.

License

Primary license is the unlicense. If where you are located doesn't honor public domain dedications then you may instead license this project under the MIT license. Only required to use one of those licenses. See LICENSE.txt for actual licenses.

Join the chat at https://gitter.im/vrillusions/iptables-init