Firewall

Status:

complete

Last edited: 2015-12-02 09:00h

Introduction

Warning

This guide is only for people who have a good level in dedicated server administration with linux environment. the handling of a firewall can be very dangerous. Indeed, you can block your server what will force you to start it again in HARD mode. If you make a mistake on the final script and you set it in auto startup, you won’t have any access on your own server any more! Be very careful and if you don’t feel comfortable at all with this guide, don’t set up your firewall!

A firewall is a software which blocks some ports on your own server and can open other ones. Imagine your house for example: You have a front door and a back door. You never use the one at the back so you better block it up. Why? Because it’s potential risk for a thief to come in. With a firewall it’s the same, we close every port, we don’t need.

What are the commonly used ports ?

Warning

First of all, be very careful that you are going to do. Indeed, you risk to close a wrong port. Imagine if you close the SSH port therefore you will have either to restart the server via telnet, or via webmin or reboot.

By default opened ports on OVH server are:

Port Service Description
21 ftp Default FTP server port
22 ssh Default SSH server port
23 telnet Default Telnet port
25 smtp Default SMTP port
53 dns Default DNS service port
80 http Default HTTP port
110 pop3 Default POP3 email server port
143 imap Default IMAP email server port
443 https Default HTTPS port
10000 webmin Depending on which server configuration panel you use

These ports are open by default, but you might have running software which open other ones.It’s up to you to know which one you have to keep or not, or whether for security you will configure services to run on other ports where potential hackers won’t know them. Ones you have made your choices, you’re ready to start.

IPTables

Iptables is a powerfull firewall, installed on all OVH servers. The process is as follows: We will open some ports and close the rest. In this example, only 22 port (SSH) and 80 (HTTP) will remain open. This is only an example, in the future, adapt it according to your need.

Connect as root using SSH. Then you must check the iptables version:

iptables -V
iptables v1.2.4

The version is too old. We’ll install the 1.2.9 version:

Note

Below we show how to compile and install iptables from source, depending on your distribution this procedure can vary. Most distribution with a package manager provide an up to date iptables package.

cd /root
wget http://www.netfilter.org/files/iptables-1.2.9.tar.bz2
tar xvfj iptables-1.2.9.tar.bz2
cd iptables-1.2.9
make KERNEL_DIR=/usr/src/linux
su
make install KERNEL_DIR=/usr/src/linux
cd /sbin
mv iptables iptables.old
mv iptables-restore iptables-restore.old
mv iptables-save iptables-save.old
ln -s /usr/local/sbin/iptables iptables
ln -s /usr/local/sbin/iptables-restore iptables-restore
ln -s /usr/local/sbin/iptables-save iptables-save
iptables -V
iptables v1.2.9

It’s done, iptables is up to date, we can move on.

We list the currently active rules:

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
 
Chain FORWARD (policy ACCEPT)
target prot opt source destination
 
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

We can see 3 chains: INPUT, FORWARD and OUTPUT. Firstly, we’ll work on Input chain (for the inbound traffic). We authorize 22 and 80 ports:

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

Description of the command flags:

  • -A INPUT: We set our rule on input.
  • -i eth0: Here, we are only concerned by the ethernet interface.
  • -p tcp: The concerned protocol is the TCP protocol (We only work on this one for the moment).
  • –dport 22: The rule will be applied on the SSH destination port (number 22).
  • -j ACCEPT: We accept this traffic.

We display all rules:

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp - anywhere anywhere tcp dpt:ssh
ACCEPT tcp - anywhere anywhere tcp dpt:www
 
Chain FORWARD (policy ACCEPT)
target prot opt source destination
 
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

We see new rules in the input chain, it’s a good sign ;)

We can see that the default policy is to accept everything => Chain INPUT(policy ACCEPT). We want to block all the traffic, which we didn’t authorize previously. Therefore We’ll add a rule which will block the others ports. But we encounter a problem:

When a connection will be established from our server to the kernel.org server to download the new kernel for example, it will establish a connection to the site and will wait for its response. The request will reach the kernel.org correctly and but How will it come back to the server, as we blocked everything?

Fortunately, iptables is powerful and can sort packets according to their states. We will then add a rule:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Now, we can block the rest (Warning, it’s where the firewall will be fully in action, check that you have correctly configured your rules otherwise you will block your server!):

iptables -A INPUT -i eth0 -j DROP

For this rule, we have 2 choices. The first solution, we drop packets, i.e if a packet arrives and it isn’t accepted, we delete it. The client will wait for a response until a timeout. The second solution is to reject packets (REJECT instead of DROP). If a unsolicited packet arrives, we send back to the client an error and he won’t wait as he has a negative response.

Reject packets is cleaner but to drop is slightly more secure. Indeed, imagine someone who sends you packets in loop to a wrong port, your server won’t process them, whereas with the reject rule, it will take time to answer.

It’s up to you ;)

To reset your firewall, type:

iptables -F INPUT

This command will delete all the rules of INPUT part. If you want to add a rule between the first and the second, type this:

iptables -I INPUT 2 ... the following of your rule

To delete the rule number 3, type this:

iptables -D INPUT 3

To block totally an Ip address:

iptables -I INPUT 1 -s -j DROP

Now, the firewall is in action. Try to scan your server, you will be able to see only 22 and 80 ports open. If the scan is very slow, it’s because of the DROP rule.

OVH Monitoring

If you want to block the ICMP protocol (Ping requests), you have to let at least ping.ovh.net, proxy.p19.ovh.net, proxy.rbx.ovh.net, proxy.ovh.net and proxy.rbx2.ovh.net to ping your server. It enables to OVH teams to check the status of your server.

In addition, you have to let the Ip address as the following example:

The Ip address of your server is aaa.bbb.ccc.ddd You have to pass: aaa.bbb.ccc.250

Example: 213.186.57.153 must pass 213.186.57.250 for the SLA server and 213.186.57.251 for the MRTG server so that it can use the RTM.

If you are an owner of HG server, pass Ip adress aaa.bbb.ccc.249 (temporary rule).

If you block all ping requests as well as Ovh’s requests, we won’t be able to check the state of your server and if a problem occurs, we won’t be informed.

To authorize ping from our servers, type the following rules:

iptables -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source proxy.sbg.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source proxy.bhs.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source IP.250 -j ACCEPT # IP = aaa.bbb.ccc according to the previous rule
iptables -A INPUT -i eth0 -p icmp --source IP.249 -j ACCEPT # temporary, only for HG server

Concerning SSH, if you want to restrict the access from your Ip only, we advise you to keep cache.ovh.net. Indeed, in case of problem on your server, we’ll be able to intervene and fix it. If you close the port 22 for OVH technicians, we won’t be able to help you if your server is blocked.

To authorize SSH from our server, type the following rule:

iptables -A INPUT -i eth0 -p tcp --dport 22 --source cache.ovh.net -j ACCEPT

If you have a RAID filer, don’t forget to authorize the NFS connections. We can authorize everything that comes from intern network 192.168.0.0/16:

iptables -A INPUT -i eth0 -p tcp --source 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --source 192.168.0.0/16 -j ACCEPT

If you have a cluster configuration, you must authorize the 79 port in order OCO to communicate with the distributor of load.

iptables -A INPUT -i eth0 -p tcp --dport 79 -j ACCEPT

For an RPS server : The interface monitored by our services is eth0 and the firewall rules should be applied here. If you block all the ping requests, even those from OVH, we won’t monitor the running state of your server any longer and if it goes down, we won’t be aware of it. To allow pings from our server, create the following rules:

iptables -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source proxy.rbx2.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 --source cache.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source IP.250 -j ACCEPT # IP monitoring system for RTM
iptables -A INPUT -i eth0 -p icmp --source IP.251 -j ACCEPT # IP monitoring system for SLA
iptables -A INPUT -i eth0 -p icmp --source 151.80.231.244 -j ACCEPT # Monitoring
iptables -A INPUT -i eth0 -p icmp --source 151.80.231.245 -j ACCEPT # Monitoring
iptables -A INPUT -i eth0 -p icmp --source 151.80.231.246 -j ACCEPT # Monitoring
iptables -A INPUT -i eth0 -p icmp --source 37.187.231.251 -j ACCEPT # Monitoring

It will be necessary to authorize your SAN, and to find out which, run the follow command:

netstat -tanpu | grep iscsi
tcp 0 0 91.121.xx.xx:38632 91.121.191.16:3260 ESTABLISHED 3097/iscsid

So the IP from your SAN is: 91.121.191.16 The rule to add will be:

iptables -A INPUT -i eth0 -p tcp --source 91.121.191.16 -j ACCEPT

Example of complete configuration

Here’s an example of complete script to protect your server via iptables. It is permissive, because all services present on your server, are reachable but it can be used for your own configuration:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 21 --source xx.xx.xx.xx -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 --source cache.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 --source xx.xx.xx.xx -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source proxy.rbx2.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source xxx.xxx.xxx.250 -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source xxx.xxx.xxx.251 -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source 151.80.231.244 -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source 151.80.231.245 -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source 151.80.231.246 -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source 37.187.231.251 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --source 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --source 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 79 -j ACCEPT
iptables -A INPUT -i eth0 -j REJECT

In these rules, you must replace xx.xx.xx.xx by the Ip address of server, which you are able to connect to your server in FTP and SSH.

Warning

If you intend to use RTM service, you MUST allow outgoing UDP traffic to xxx.xxx.xxx.251 for port between 6100 and 6200. Otherwise, the RTM informations won’t show up in your Manager

Automate the firewall

Once your server is perfectly configured, you have to create a script which will execute at the beginning of each boot of your server. Here’s an example to put in a file named firewall for example in the directory /etc/init.d/:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#!/bin/sh
# chkconfig: 3 21 91
# description: Firewall

IPT=/sbin/iptables

case "$1" in
start)
$IPT -F INPUT
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 10000 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 21 --source xx.xx.xx.xx -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 22 --source cache.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 22 --source xx.xx.xx.xx -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.rbx2.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source xxx.xxx.xxx.251 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source xxx.xxx.xxx.250 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source 151.80.231.244 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source 151.80.231.245 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source 151.80.231.246 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source 37.187.231.251 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --source 192.168.0.0/16 -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --source 192.168.0.0/16 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 79 -j ACCEPT
$IPT -A INPUT -i eth0 -j REJECT
exit 0
;;
stop)
$IPT -F INPUT
exit 0
;;
* )
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
;;
esac

Give it the 700 rights and type /etc/init.d/firewall start to start it and /etc/init.d/firewall stop to stop it. To launch it automatically at the startup:

chkconfig --level 3 firewall on
chkconfig --level 06 firewall off

Before launching the script at each startup, check that is correct otherwise your server will be absolutely blocked!