Yesterday I was securing a server to pass the PCI tests and the Mcaffee tests for a client of our’s. We have a Basic iptables firewall for linux that we use as a template – I didnt manage to get the firewall rules set properly for the client, so I just thought that I would put the basic iptables firewall for linux rules here.
the parts from the man pages im going to use are:
-A, --append chain rule-specification Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination.
-s, --source address[/mask][,...] Source specification. Address can be either a network name, a hostname, a network IP address (with /mask), or a plain IP address. Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. The flag --src is an alias for this option. Multiple addresses can be specified, but this will expand to multiple rules (when adding with -A), or will cause multiple rules to be deleted (with -D).
-p, --protocol protocol The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, udplite, icmp, esp, ah, sctp or the special keyword "all", or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. "all" will match with all protocols and is taken as default when this option is omitted.
you will also see ‘–dport’ which is used to specify the port number in combination with the -p tcp or -p udp for the protocol parameter.
the last option we use is the -j (for jump)
-j, --jump target This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension. If this option is omitted in a rule (and -g is not used), then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented.
you could enter these individually on a commandline, by prepending everything with iptables, or you could add them to your iptables file (in centos its /etc/sysconfig/iptables)
the advantage of adding them to the iptables file is that they get applied after reboots
-A INPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
(this will allow localhost access to everything)
-A INPUT -p tcp –dport 80 ACCEPT
-A INPUT -p tcp –dport 443 ACCEPT
(this will allow everyone access to http and https)
-A INPUT -p tcp –dport 22 -s YOUR_IP_HERE -j ACCEPT
(this will accept connections on ssh from your ip address only.)
-A INPUT -p tcp –dport 3306 -s YOUR_IP_HERE -j ACCEPT
(this will allow your ip address direct access to mysql – very handy!)
-A INPUT -p icmp -J DROP
-A INPUT -p udp -j DROP
-A INPUT -p tcp -j DROP
(drop all icmp, tcp and udp requests. I know what you will say if you have anything to say about that, but im not interested in being nice, I want my machine to be unresponsive if someone is messing about with it)
if you wanted to you could -j REJECT them
with that setup then people can access the http and https services running on your box, but they cant access anything else, unless they are in your office, using your machine. (thats the next security hole you need to patch up. I suggest using certificates for authentication, and not using passwords, also dont allow root logins over ssh and only use mysql rule if you are in heavy development – as soon as the site is stable then turn off that rule – unless you host multiple sites on one box – then you might want to leave it open, but you might just want to tell users to ssh into that box first)