Friday, June 4, 2004

iptables with VPS

I have a virtual private server with TekTonic, and I wanted to set up iptables to secure the server. I then looked on the web for some examples of people who had setup iptables to secure their servers. I found a couple of links:




I started following these examples and I noticed that I wasn't able to use some of these rules. One of the most important one was the state module. I thought that I could fix the problem by installing iptables from rpm. This didn't solve the problem.



I then looked at what kernel modules were installed, and it appears that the only kernel modules that are installed, are the ones built into the kernel. And tech support stated that thier VPS is not able to run other kernel modules.


Here is the list of the included kernel modules:


[root@www root]# lsmod
Module Size Used by Tainted: P
iptable_nat 20020 0 (autoclean) (unused)
ip_conntrack 25876 1 (autoclean) [iptable_nat]
cls_fw 4128 2 (autoclean)
sch_cbq 14944 2 (autoclean)
vzdquota 21664 67
vzmon 75696 67
vzfs 29364 67
af_packet 10760 0
vznet 18688 68 [vzmon]
vzdev 1760 -1 [vzdquota vzmon vznet]
e1000 65160 0 (unused)
e100 50052 1
ipt_REDIRECT 2432 3
ipt_length 1952 1
ipt_ttl 2016 1
ipt_tcpmss 2496 1
ipt_TCPMSS 3840 1
ipt_multiport 2272 5
ipt_limit 2560 1
ipt_tos 1888 1
ipt_REJECT 4384 2
iptable_filter 3520 37 (autoclean)
ipt_mark 1312 0 (autoclean)
ipt_MARK 1632 0 (autoclean)
iptable_mangle 3584 3 (autoclean)
ip_tables 16160 754 [iptable_nat ipt_REDIRECT ipt_length ipt_ttl ipt_tcpmss ipt_TCPMSS ipt_multiport ipt_limit ipt_tos ipt_REJECT iptable_filter ipt_mark ipt_MARK iptable_mangle]


It looks like the module ipt_state is not included in their kernel. This means that I can not use iptables as a stateful firewall.


These are the rules that I decided to use for the firewall. I am hoping that tech support will add that modules with the LOG module.



# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT
# iptables -N valid-tcp-flags
# iptables -A INPUT -p tcp -j valid-tcp-flags
# iptables -A OUTPUT -p tcp -j valid-tcp-flags
# iptables -A FORWARD -p tcp -j valid-tcp-flags
# iptables -N valid-source-address
# iptables -A INPUT -p ! tcp -j valid-source-address
# iptables -A INPUT -p tcp --syn -j valid-source-address
# iptables -A FORWARD -p ! tcp -j valid-source-address
# iptables -A FORWARD -p tcp --syn -j valid-source-address
# iptables -N valid-destination-address
# iptables -A OUTPUT -j valid-destination-address
# iptables -A FORWARD -j valid-destination-address
# iptables -A valid-tcp-flags -p tcp --tcp-flags ALL NONE -j DROP
# iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,FIN FIN -j DROP
# iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,PSH PSH -j DROP
# iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,URG URG -j DROP
# iptables -A valid-tcp-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# iptables -A valid-tcp-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# iptables -A valid-tcp-flags -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# iptables -A valid-source-address -s 10.0.0.0/8 -j DROP
# iptables -A valid-source-address -s 172.16.0.0/12 -j DROP
# iptables -A valid-source-address -s 192.168.0.0/16 -j DROP
# iptables -A valid-source-address -s 224.0.0.0/4 -j DROP
# iptables -A valid-source-address -s 240.0.0.0/5 -j DROP
# iptables -A valid-source-address -s 127.0.0.0/8 -j DROP
# iptables -A valid-source-address -s 0.0.0.0/8 -j DROP
# iptables -A valid-source-address -d 255.255.255.255 -j DROP
# iptables -A valid-source-address -s 169.254.0.0/16 -j DROP
# iptables -A valid-source-address -s 192.0.2.0/24 -j DROP
# iptables -A OUTPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT
# iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
# iptables -A INPUT -p tcp --dport 22 --sport 1024:65535 -j ACCEPT
# iptables -A INPUT -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 --sport 1024:65535 -j ACCEPT
# iptables -A INPUT -p tcp --dport 10000 --sport 1024:65535 -j ACCEPT
# iptables -A INPUT -p tcp --dport 25 --sport 1024:65535 -j ACCEPT
# iptables -I INPUT 10 -p udp -m udp --sport 6277 -j ACCEPT
# iptables -A INPUT -p tcp --dport 3306 --sport 1024:65535 -j DROP
# iptables -A INPUT -p tcp --dport 1:1023 -j DROP


They seem to be doing the right thing.