Data Networking/Fall 2014/Priya/Configuring iptables & firewall
In this section, we'll explain the procedure required to configure iptables and firewall, that we followed for securing our Apache2 web server.
Step 1
Configuring IP tables
iptables are pre-installed with Ubuntu 14.04, but they are configured with a default policy of allowing all data connections. We'll add some access list lines to filter the incoming connections to our web server. Type in the following lines in your terminal
sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT sudo iptables -A INPUT -s 192.168.3.0/24 -p tcp -m tcp --dport 2049 -j ACCEPT sudo iptables -A INPUT -s 192.168.3.0/24 -p tcp -m tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -s 192.168.3.0/24 -p tcp -m tcp --dport 555 -j ACCEPT sudo iptables -A INPUT -s 192.168.3.0/24 -p icmp -m icmp --icmp-type 0 -j ACCEPT sudo iptables -A INPUT -s 192.168.3.0/24 -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-port-unreachable sudo iptables -A INPUT -j DROP
The previous commands appended new rules to the iptables. These rules simply allow HTTP (port 80), SSH (port 555) and NFS (2049) to pass through the filter. However, it rejects icmp echo-requests incoming from clients to reach the web server, but allows the echo-reply from clients. The guarantees that the web server can do a ping command to different clients, but clients can DDOS the server by spamming ping requests. The last line ensures that any packet, which has not been filtered by the previous rules, will be dropped. Therefore, we don't need to change the default policy of the iptables (allow all incoming, by default), and still ensure that unnecessary packets will not reach the server.
To avoid reloading the iptables on every system reboot, we can install the following application, which loads the desired iptables configuration from a rules.v4 file.
sudo apt-get install iptables-persistent sudo service iptables-persistent start
The same iptables configuration can be done to ip6tables (IPv6), but since we only used IPv4 in our network, we didn't need to modify ip6tables (rules.v6) files.
Step 2
Configuring Firewall
To configure the Firewall, we'll do the following steps to premit incoming connections to ports 80 (HTTP), 555 (SSH) and 2049 (NFS), whereas all other incoming packets are rejected by default.
sudo ufw enable sudo ufw allow from 192.168.3.0 to any port 80 sudo ufw allow from 192.168.3.0 to any port 555 sudo ufw allow from 192.168.3.0 to any port 2049 sudo ufw reload