Secure Server with iptables

There are lots of other things you can do to help secure your web server’s ssh port,but one of the most powerful and flexible is to bring iptables into the mix. Iptables is an applicaiton which provides instructions to the Linux kernel firewall. It provides a (relatively) easy way to view and modify the way the system’s built-in firewall tracks, filters, and transforms the network packets it receives.

How to check iptables rules.

sudo iptables -L


Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

There are only the three default iptables chains defined,
Since we haven’t set up any rules, right now iptables is doing nothing and letting all packets through.

Our goal here is to make iptables watch ssh traffic, which we’ll be receiving on TCP port 22,

To accomplish this, we need to add three rules to the INPUT chain, and we also need to create a new chain to handle the logging and dropping and then add a couple of rules to it as well.

How to ADD INPUT rules

sudo iptables -A INPUT -p tcp -m tcp –dport 22 -m state –state NEW -m recent   –set –name DEFAULT –rsource

Here, the rule will be applied to packets that signal the start of new connections headed for TCP port 22.

Below rule will actually perform an action using a different chain, and in order to append it, we’ll need to first create the chain that it’s going to reference:

sudo iptables -N LOG_AND_DROP

For now, here is the command for the second INPUT rule:

sudo iptables -A INPUT  -p tcp -m tcp –dport 22 -m state –state NEW -m recent

    –update –seconds 60 –hitcount 4 –name DEFAULT –rsource -j LOG_AND_DROP

This rule tells iptables to look for packets that match the previous rule’s parameters, and which also come from hosts already added to the watch list. If iptables sees a packet coming from such a host, it will update the “last seen” timestamp for that host.The –seconds 60 and –hitcount 4 arguments are used to narrow further the hosts we want to block,if a host tries to connect four or more times within sixty seconds, it matches that part of the rule and we jump to the LOG_AND_DROP chain.

Last rule we need to add to INPUT is this:

sudo iptables -A INPUT  -p tcp -m tcp –dport 22 -j ACCEPT

Above rule tells iptables what to do with TCP traffic to port 22 which doesn’t match the previous rule.

We need to add some rules to tell iptables what to do with packets that get sent here—and as the name implies, we’re going to log and then drop them. First the logging:

sudo iptables -A LOG_AND_DROP -j LOG –log-prefix “iptables deny: ” –log-level 7

We’re appending above rule to the LOG_AND_DROP table, and we use the -j (jump) operator to pass the packet’s information to the logging facility.causing a log entry to be added to /var/log/syslog with the packet’s information, which will include all kinds of useful stuff in it.

sudo iptables -A LOG_AND_DROP -j DROP

After they are logged by the first rule, all packets are then dropped—that is, the packet is discarded silently by your server, without sending any error messages to the packet’s source.

Leave a Reply