===== Iptables =====
We will remove firewalld and use iptables instead. However, we will not activate it now.
yum install iptables-services
systemctl disable firewalld.service
systemctl stop firewalld.service
systemctl enable iptables.service
systemctl enable ip6tables.service
systemctl start iptables.service
systemctl start ip6tables.service
Now save iptables state, in case of :
mkdir /etc/iptables
chmod -R 700 /etc/iptables
iptables-save > /etc/iptables/iptables.default
ip6tables-save > /etc/iptables/ip6tables.default
chmod 400 /etc/iptables/iptables.default
chmod 400 /etc/iptables/ip6tables.default
We will block everything and open ssh port (22) on second interface. IPv6 will not be used, so we block everything on it.
For repository server, we will open port 21 on first interface, and setup a passive mode for FTP.
Rules are interpreted in order. You need to put accept ssh rule before reject to all.
Create file /etc/iptables/iptables.prod :
*filter
# Allow ping
-A INPUT -p icmp -j ACCEPT
# Allow all loopback (lo0)
-A INPUT -i lo -j ACCEPT
# Allow inbound traffic from established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow SSH connections on second interface (admin ssh)
-A INPUT -p tcp -m state -i enp0s8 --state NEW --dport 22 -j ACCEPT
# Allow FTP passive connections on first interface (repositories and pxe)
-A INPUT -p tcp -m state -i enp0s3 --state NEW --dport 21 -j ACCEPT
-A INPUT -i enp0s3 -p tcp -m tcp --dport 1024:65535 -m helper --helper ftp -m conntrack --ctstate RELATED -j ACCEPT
# Log incoming requests (optional) and reject all inbound
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7
-A INPUT -j REJECT
# Log forwarding requests (optional) and reject all forwarding
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7
-A FORWARD -j REJECT
COMMIT
And /etc/iptables/ip6tables.prod :
*filter
# Reject all IPv6
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT
COMMIT
We can now configure iptables to use these rules:
iptables-restore < /etc/iptables/iptables.prod
ip6tables-restore < /etc/iptables/ip6tables.prod
service iptables save
service ip6tables save
Firewall rules are saved to /etc/sysconfig/iptables and /etc/sysconfig/ip6tables.
More details can be found here: https://www.linode.com/docs/security/securing-your-server
Is is configured. But for now, let's deactivate it, you will be able to activate it later (optional).
systemctl disable iptables.service
systemctl disable ip6tables.service
systemctl stop iptables.service
systemctl stop ip6tables.service
==== Repository iptables ====
Important: This part must be done __**after**__ the [[http://www.spheniscus.brennik.fr/doku.php/system/linux_cluster/core_setup#iptables|Ipatbles]] part of this tutorial, I put it here just to organize the page by services.
Now, for the ftp rule to work, we need to load module nf_conntrack_ftp, using :
modprobe nf_conntrack_ftp
Lets make it permanent. cd to **/etc/sysconfig/modules/** and create a new file **nf_conntrack_ftp.modules** :
#!/bin/sh
exec /sbin/modprobe nf_conntrack_ftp
You can check after a reboot the presence of the module using **lsmod**:
# lsmod
[...]
nf_conntrack 105702 4 xt_helper,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4
[...]
==== Dhcp iptables ====
You can now generate iptables, and do not forget to open the dhcp port in iptables, by adding this line under the ssh line :
# Allow DHCP connections on first interface
-A INPUT -p udp -m state -i enp0s3 --state NEW --dport 67:68 --sport 67:68 -j ACCEPT
Save the new rules into iptables and start the service.
==== Dns ipatbles ====
You can now generate iptables, and do not forget to open the dns port in iptables, by adding this line under the ssh line :
# Allow DNS connections on first interface
-A INPUT -p udp -m state -i enp0s3 --state NEW --dport 53 --sport 53 -j ACCEPT
Save the new rules into iptables and start the service.
==== PXE iptables ====
Do not forget to open the pxe port in iptables, by adding this line under the ssh line :
# Allow TFTP connections on first interface
-A INPUT -p udp -m state -i enp0s3 --state NEW --dport 69 -j ACCEPT
==== NTP iptables ====
iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT