User Guide - Using iptables to Enhance Security of your VPS
- 22/02/2007 9:55 PM
Applicable Plans: All Standard VPS, all Advanced VPS, all Premier VPS plans
The purpose of this document is to allow you to setup firewall rules, using iptables, in order to secure your virtual private server (VPS). iptables is a standard part of all modern Linux distributions. It is the tool by which administrators create rules for packet filtering and NAT modules.
The best practice for an effective firewall is to define all ports that should be allowed and block everything else.
This user guide will assume that you are logged into your virtual private server via SSH as root or an account with sudo privileges, and you have a basic understanding of Linux security and the command line. This guide is NOT for beginners. If you are unsure about anything described here please contact eApps technical support. Warning: if you do not carefully follow these instructions, you can accidentally block yourself out of your server. If this happens, you can login to your control panel and restart iptables on your VPS. It is worth noting that the eApps network is already protected by a firewall, however, it is still a good idea to decrease your exposure to the outside by using iptables.
iptables works like most other firewalls in that it will compare a packet to a list of rules, apply that rule to the packet (allow or drop), then move on to the next packet.
There are three default chains for which you can add rules. These are INPUT OUTPUT AND FORWARD. This document will only focus on INPUT as our systems do not typically act as routers or gateways.
Run netstat to see the ports on which your server is listening for connections.
netstat -an
Ports that you might want to keep open are:
| SERVICE | PORT | DESCRIPTION |
| FTP-data | 20 | Only if you use FTP on your server |
| FTP | 21 | |
| SMTP | 25 | Sendmail |
| DNS | 53 | Domain Name Service |
| WWW | 80 | Standard web server port |
| POP3 | 110 | For receiving email |
| IMAP | 143 | |
| IMAP3 | 220 | |
| LDAP | 389 | Lightweight Directory Access Protocol |
| HTTPS | 443 | HTTP using SSL |
| SMTPS | 465 | Secure SMTP |
| IMAPS | 993 | Secure IMAP |
| CVSPSERVER | 2401 | CVS |
| MySQL | 3306 | Only use if you need to access your database from the outside |
| PostgreSQL | 5432 | |
| SVN | 3690 | SubVersion |
| Webcache | 8080 | To access Tomcat of JBoss directly |
For other services you should take a look at /etc/services and remove any services that you know you are not using or that do not need to be accessed from outside localhost.
First you want to allow connections from the services that you do really need to connect to from outside your VPS.
The first rules you should add are:
iptables -A INPUT -j ACCEPT -p tcp --dport 22
iptables -A INPUT -j ACCEPT -p tcp --dport 80
iptables -A INPUT -j ACCEPT -p tcp --dport 25
iptables -A INPUT -j ACCEPT -p tcp -m tcp --sport 25
iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
iptables -A INPUT -j ACCEPT -p tcp --dport 80
iptables -A INPUT -j ACCEPT -p tcp --dport 25
iptables -A INPUT -j ACCEPT -p tcp -m tcp --sport 25
iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
Now that you won't block yourself out of SSH you can continue adding services that you need to access from the Internet.
iptables -A INPUT -j ACCEPT -p tcp --dport [port number]
Then allow connections for all other services that you might need from localhost.
iptables -A INPUT -j ACCEPT --source 127.0.0.1
If you want to be able to ping your VPS (you may not want to allow ping as it can be used as a DoS or DDoS attack)
iptables -A INPUT -p icmp -j ACCEPT
Now Deny EVERYTHING else (make absolutely sure that this is the last rule in your list).
iptables -A INPUT -j DROP -p all
Now back up any previous configurations you might have saved.
cp /etc/sysconfig/iptables{,.bak-`date +%F`}
Save the current running configuration.
iptables-save > /etc/sysconfig/iptables
Then (re)start iptables and verify that your settings were successful.
/etc/init.d/iptables start
/etc/init.d/iptables status
/etc/init.d/iptables status
You'll also want to make sure that the iptables service is set to start by default.
chkconfig iptables on
To remove a single rule:
iptables -D INPUT [number of the rule]
or
iptables -D INPUT [text of the rule]
To remove all rules:
iptables -F INPUT
Notes:
This simple but VERY effective policy only allows traffic that you intend and can greatly reduce the chance that your VPS can be hacked. The fewer services that you have available to the Internet the better. An optimal situation would be to have ports 22, 80, 443, 110, 143, and 25 visible from the outside. This would allow access your VPS via SSH, web surfing in both normal mode and SSL, and allow POP and IMAP, and SMTP for email.