Setting up a firewall for IPtables can be rather difficult, especially if its your first time. A firewall is something you need to have, whether you are just trying to keep hackers out, or trying to meet a requirement such as PCI compliance, or HIIPA compliance. Luckily the folks at rfxnetworks, created a CLI based configuration for IPtables.
Setting up a firewall for IPtables can be rather difficult, especially if its your first time. A firewall is something you need to have, whether you are just trying to keep hackers
out, or trying to meet a requirement such as PCI compliance, or HIIPA compliance. Luckily the folks at rfxnetworks, created a CLI based configuration for IPtables.
First, download the firewall software at this URL:
Untar it then, run install.sh. Now you have a firewall installed. That only took a minute, so for the other 14 minutes, we are going to configure it. After you ran install.sh,
it told you what ports you have currently open. So, now were going to edit the config file. The nice thing about apf is it has common firewall rules already setup.
For this example we are just going to change a couple configuration options, set the ports we want open, and setup ACL's. For this example I will assume you are working with a
mutli-purpose server, which includes a web server. If you have a different type of server you are securing you may want to setup your firewall a little differently. And this firewall will run on top of an existing Linux system, and not be a stand alone type firewall that just filters packets.
Open the config file, located at: /etc/apf/conf.apf with your favorite text editor. Leave DEVEL_MODE set to 1, and then after you have tested everything and made sure you haven't
blocked yourself, then change it to 0. The first setting to chagne is BLK_RESNET, change this from 1 to 0. Some of the networks they have listed as reserved in internals/reserved.networks
have since be assigned, and I have run into cases where legitimate users were blocked from accessing web sites hosted on the server, plus with a dwindeling supply of IPv4 addresses
anything not assigned that could be will likely be assigned in the near future.
Next look for EGF="0", this is for outgoing traffic, or what's called egress filtering, we want this on. A lot of admins will only filter incoming traffic, however for the most
secure system you should filter outgoing traffic as well. There are a number of reason for this. For example if you required to become compliant, such as PCI DSS compliance if you
take credit cards, they require you filter outgoing traffic. You want to know what is leaving your server, and don't want sensitive data leaving out a foreign port. Also if you
system was compromised, even at the underprivileged user level you will want to limit the ports they will be able to send data on.
PCI DSS Firewall
Now we are going to set the ports we want open. There are 4 lines for this, a TCP and UDP line for both incoming and outgoing. For example for IG_TCP_CPORTS you might want to put
22, 25, 80, 443, if you use the server for email, then you would add 110,143, if you use mysql add 3306, if you use cPanel/WHM then you could add 2077, 2078, 2082, 2083, 2089, 2095, 2096 for IG_UDP_CPORTS if you
have a nameserver running on the box you can put 53. For EG_TCP_CPORTS you can put 22, 25, 80, 443, and then you can put 37 for rdate, and if you use whois, 43, if you connect to an external mysql server put 3306. For EG_UDP_CPORTS you
might just need 43.
Here are some complete line samples:
Now that we have port filtering setup, we are going to take this one step further and filter by IP and port. This is where the real power of a firewall comes up, limiting ports are
nice, but that still leaves you open to things like brute force attacked, and remote exploits, if your limiting the ports by IP even if there is a remote exploit, the hacker will
not be successful. To setup and ACL, first add your IP to the allow list in /etc/apf/allow_hosts.rules, for example to allow your IP for SSH, you would put:
And if you want to allow a group of IPs you can use cidr notation, such as:
Then you have to edit the deny list, and deny everything on that port, (the allow list overrides the deny list). The deny list in /etc/apf/deny_hosts.rules, and for SSH you would put:
Everything that you don't need public access to should have an ACL, for example you wouldn't usually add one for port 80 or 443, if if you have a management interface like webmin
or cpanel/WHM, you would want an ACL for that port.
Now, you should thoroughly test the firewall before making it active. To enable it, run apf -r, this gives you 5 minutes of testing before it will reset itself, when you are
confident everything is working, then change DEVEL_MODE to 0 and run apf -r again to make the firewall permanently active.