Paul's Time Sink

Digitial Commercial Transition Video
Audio mixing with VMWare on Linux host
24 hours of Google Reader Shared Items
links for October 2, 2008
NuevaSync
Virtual Machines
Moving to Windows
Vista on Mac mini
Insecure wifi
links for September 7, 2008

specimen

able allow computer content files google home install installed iphone links linux looks mac media mobile once phone photos play post server solution squeezebox ubuntu video web windows work xbox

« | »

iptables with VPS

Paul Westbrook | 04 June, 2004 18:41

I have a virtual private server with TekTonic, and I wanted to set up iptables to secure the server. I then looked on the web for some examples of people who had setup iptables to secure their servers. I found a couple of links:

• http://www.siliconvalleyccie.com/linux-hn/iptables-intro.htm
• http://www.geocities.com/steve93138/
• http://wiki.apache.org/spamassassin/UsingDcc

I started following these examples and I noticed that I wasn't able to use some of these rules. One of the most important one was the state module. I thought that I could fix the problem by installing iptables from rpm. This didn't solve the problem.

I then looked at what kernel modules were installed, and it appears that the only kernel modules that are installed, are the ones built into the kernel. And tech support stated that thier VPS is not able to run other kernel modules.

Here is the list of the included kernel modules:

[root@www root]# lsmod
Module                  Size  Used by    Tainted: P  
iptable_nat            20020   0  (autoclean) (unused)
ip_conntrack           25876   1  (autoclean) [iptable_nat]
cls_fw                  4128   2  (autoclean)
sch_cbq                14944   2  (autoclean)
vzdquota               21664  67 
vzmon                  75696  67 
vzfs                   29364  67 
af_packet              10760   0 
vznet                  18688  68  [vzmon]
vzdev                   1760  -1  [vzdquota vzmon vznet]
e1000                  65160   0  (unused)
e100                   50052   1 
ipt_REDIRECT            2432   3 
ipt_length              1952   1 
ipt_ttl                 2016   1 
ipt_tcpmss              2496   1 
ipt_TCPMSS              3840   1 
ipt_multiport           2272   5 
ipt_limit               2560   1 
ipt_tos                 1888   1 
ipt_REJECT              4384   2 
iptable_filter          3520  37  (autoclean)
ipt_mark                1312   0  (autoclean)
ipt_MARK                1632   0  (autoclean)
iptable_mangle          3584   3  (autoclean)
ip_tables              16160 754  [iptable_nat ipt_REDIRECT ipt_length ipt_ttl ipt_tcpmss ipt_TCPMSS ipt_multiport ipt_limit ipt_tos ipt_REJECT iptable_filter ipt_mark ipt_MARK iptable_mangle]

It looks like the module ipt_state is not included in their kernel. This means that I can not use iptables as a stateful firewall.

These are the rules that I decided to use for the firewall. I am hoping that tech support will add that modules with the LOG module.

# iptables -A INPUT  -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT
# iptables -N valid-tcp-flags
# iptables -A INPUT   -p tcp -j valid-tcp-flags
# iptables -A OUTPUT  -p tcp -j valid-tcp-flags
# iptables -A FORWARD -p tcp -j valid-tcp-flags
# iptables -N valid-source-address
# iptables -A INPUT -p ! tcp -j valid-source-address
# iptables -A INPUT -p tcp --syn -j valid-source-address
# iptables -A FORWARD -p ! tcp -j valid-source-address
# iptables -A FORWARD -p tcp --syn -j valid-source-address
# iptables -N valid-destination-address
# iptables -A OUTPUT -j valid-destination-address
# iptables -A FORWARD -j valid-destination-address
# iptables -A valid-tcp-flags -p tcp --tcp-flags ALL NONE -j DROP
# iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,FIN FIN -j DROP
# iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,PSH PSH -j DROP
# iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,URG URG -j DROP
# iptables -A valid-tcp-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# iptables -A valid-tcp-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# iptables -A valid-tcp-flags -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# iptables -A valid-source-address -s 10.0.0.0/8 -j DROP
# iptables -A valid-source-address -s 172.16.0.0/12 -j DROP
# iptables -A valid-source-address -s 192.168.0.0/16 -j DROP
# iptables -A valid-source-address -s 224.0.0.0/4 -j DROP
# iptables -A valid-source-address -s 240.0.0.0/5 -j DROP
# iptables -A valid-source-address -s 127.0.0.0/8 -j DROP
# iptables -A valid-source-address -s 0.0.0.0/8              -j DROP
# iptables -A valid-source-address -d 255.255.255.255        -j DROP
# iptables -A valid-source-address -s 169.254.0.0/16         -j DROP
# iptables -A valid-source-address -s 192.0.2.0/24           -j DROP
# iptables -A OUTPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT
# iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
# iptables -A INPUT -p tcp --dport 22 --sport 1024:65535 -j ACCEPT
# iptables -A INPUT -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 --sport 1024:65535 -j ACCEPT
# iptables -A INPUT -p tcp --dport 10000 --sport 1024:65535 -j ACCEPT
# iptables -A INPUT -p tcp --dport 25 --sport 1024:65535 -j ACCEPT
# iptables -I INPUT 10 -p udp -m udp --sport 6277 -j ACCEPT
# iptables -A INPUT -p tcp --dport 3306 --sport 1024:65535 -j DROP
# iptables -A INPUT -p tcp --dport 1:1023 -j DROP

They seem to be doing the right thing.

Thanks [Reply]

Thanks for this info. I was able to use it on my own VPS with EV1Servers.net.

Regards,
John

John | 28/01/2006, 16:36

Add comment

Topic

Text

Your name

Your email address

Your personal page (if any)

This work is licensed under a Creative Commons License.

E-mail me

November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
January 2004

Computer [766]
Electronics [206]
Blogging [112]
Links [71]
Cars [64]
General [134]
Gadgets [62]
Phone [46]
Family [13]
Games [26]
moblog [4]
Hardware [19]

Third Time Dad
Engadget
Autoblog
Geek News Central
Jessica's Blog
atmaspheric | endeavors
Paint the Tiger • Carve the Swan
TiVoBlog
SuperJason's Personal Blog
Forever Geek
sprocket i/o
Slacy's Blog