Posted by Adam Niedzwiedzki on 16 December 2013, 14:59 pm
First off setup your firewall, ubuntu comes with iptables by default.
Add the following to your /etc/iptables/rules file
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Accept any related or established connections
-I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow all traffic on the loopback interface
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Outbound DNS lookups
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
# Outbound PING requests
-A OUTPUT -p icmp -j ACCEPT
# Outbound Network Time Protocol (NTP) request
-A OUTPUT -p udp --dport 123 --sport 123 -j ACCEPT
# Outbound HTTP
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
# Incoming DNS requests
-A INPUT -i eth0 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m udp --dport 53 -m state --state NEW -j ACCEPT
# Incoming SSH
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
COMMIT |
Apply the ruleset with a timeout through iptables-apply, and if you lose the connection, fix your rules and try again before continuing.
iptables-apply /etc/iptables/rules
Applying new ruleset... done.
Can you establish NEW connections to the machine? (y/N) y
... then my job is done. See you next time. |
Create the file /etc/network/if-pre-up.d/iptables, with the following content. This will automatically load your IPTables rules when you start the server.
/etc/network/if-pre-up.d/iptables
#!/bin/bash
iptables-restore < /etc/iptables/rules |
Now give it execute permissions, and execute the file to ensure it loads properly.
chmod +x /etc/network/if-pre-up.d/iptables
/etc/network/if-pre-up.d/iptables |
Please Register.
If you wish to add comments.
Cheers
Adam