Data Networking/Fall 2014/Priya/Configuring iptables & firewall

In this section, we'll explain the procedure required to configure iptables and firewall, that we followed for securing our Apache2 web server.

Step 1
Configuring IP tables

iptables are pre-installed with Ubuntu 14.04, but they are configured with a default policy of allowing all data connections. We'll add some access list lines to filter the incoming connections to our web server. Type in the following lines in your terminal

    sudo iptables -A INPUT -i lo -j ACCEPT
    sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    sudo iptables -A INPUT -s 192.168.3.0/24 -p tcp -m tcp --dport 2049 -j ACCEPT
    sudo iptables -A INPUT -s 192.168.3.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
    sudo iptables -A INPUT -s 192.168.3.0/24 -p tcp -m tcp --dport 555 -j ACCEPT
    sudo iptables -A INPUT -s 192.168.3.0/24 -p icmp -m icmp --icmp-type 0 -j ACCEPT
    sudo iptables -A INPUT -s 192.168.3.0/24 -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-port-unreachable
    sudo iptables -A INPUT -j DROP

The previous commands appended new rules to the iptables. These rules simply allow HTTP (port 80), SSH (port 555) and NFS (2049) to pass through the filter. However, it rejects icmp echo-requests incoming from clients to reach the web server, but allows the echo-reply from clients. The guarantees that the web server can do a ping command to different clients, but clients can DDOS the server by spamming ping requests. The last line ensures that any packet, which has not been filtered by the previous rules, will be dropped. Therefore, we don't need to change the default policy of the iptables (allow all incoming, by default), and still ensure that unnecessary packets will not reach the server.

To avoid reloading the iptables on every system reboot, we can install the following application, which loads the desired iptables configuration from a rules.v4 file.

    sudo apt-get install iptables-persistent
    sudo service iptables-persistent start

The same iptables configuration can be done to ip6tables (IPv6), but since we only used IPv4 in our network, we didn't need to modify ip6tables (rules.v6) files.


Step 2
Configuring Firewall

To configure the Firewall, we'll do the following steps to premit incoming connections to ports 80 (HTTP), 555 (SSH) and 2049 (NFS), whereas all other incoming packets are rejected by default.

    sudo ufw enable
    sudo ufw allow from 192.168.3.0 to any port 80
    sudo ufw allow from 192.168.3.0 to any port 555
    sudo ufw allow from 192.168.3.0 to any port 2049
    sudo ufw reload