ISPConfig 3 : What is the best Firewall / IPtables config ? (after install on Debian 8)

Discussion in 'Installation/Configuration' started by nif, Aug 21, 2016.

  1. nif

    nif New Member

    Hi
    I follow your the good tutorial to install ISPconfig : The Perfect Server – Debian 8 Jessie (Apache2, BIND, Dovecot, ISPConfig 3) but I have some questions about iptables config.

    ==>     What is the best IPTABLES config after install ISPconfig ? for a simple web server (dns / apache / local mysql) with 2/3 websites ?
    ==> Can you help me to configure ? (For example I see MySQL port open with distant nmap and that is no good)
    Thanks.

    My current ISPCONFIG SERVICES :
    Code:
    Web-Server:    Online
FTP-Server:    Online
SMTP-Server:    Online
POP3-Server:    Online
IMAP-Server:    Online
DNS-Server:    Online
mySQL-Server:    Online
    My current IPTABLES CONFIG :
    Code:
    iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
fail2ban-postfix-sasl  tcp  --  anywhere             anywhere             multiport dports smtp
fail2ban-pureftpd  tcp  --  anywhere             anywhere             multiport dports ftp
fail2ban-dovecot-pop3imap  tcp  --  anywhere             anywhere             multiport dports pop3,pop3s,imap2,imaps
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain fail2ban-dovecot-pop3imap (1 references)
target     prot opt source               destination        
RETURN     all  --  anywhere             anywhere           

Chain fail2ban-postfix-sasl (1 references)
target     prot opt source               destination        
RETURN     all  --  anywhere             anywhere           

Chain fail2ban-pureftpd (1 references)
target     prot opt source               destination        
RETURN     all  --  anywhere             anywhere           

Chain fail2ban-ssh (1 references)
target     prot opt source               destination        
RETURN     all  --  anywhere             anywhere
    NMAP OPEN PORT TEST
    Code:
     ~  nmap -T4 -F XXX.XXX.XXX.XXX

Starting Nmap 7.12 ( https://nmap.org ) 
Nmap scan report for
Host is up (0.054s latency).
Not shown: 85 closed ports
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
25/tcp   filtered smtp
53/tcp   open     domain
80/tcp   open     http
110/tcp  open     pop3
143/tcp  open     imap
443/tcp  open     https
465/tcp  open     smtps
587/tcp  open     submission
993/tcp  open     imaps
995/tcp  open     pop3s
3306/tcp open     mysql
8080/tcp open     http-proxy
8081/tcp open     blackice-icecap

Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds
     
    nif, Aug 21, 2016
    #1
  2. Blaasbalg

    Blaasbalg Member

    Literally all ports are open considering you haven't specified a REJECT rule in your INPUT chain (the default policy ACCEPT is used if no matching rule is encountered), therefore all inbound connections are accepted.

    To accomodate the use of conntrack later on, we first have to setup a rule to allow ESTABLISHED connections:
    Code:
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    After that, add a REJECT rule at the end of the INPUT chain:
    Code:
    iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
    Do the same for the FORWARD chain:
    Code:
    iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    Since you have no rules specified at all, this will close all ports. I recommend to add an additional chain for your services:
    Code:
    iptables -N SERVICES
    Refer to it in your INPUT chain (Note: the line number supplied is dependant on the rules present in your INPUT chain, if you have modified your INPUT chain in the mean time, adjust this number accordingly, it must come before the REJECT rule):
    Code:
    iptables -I INPUT 6 -j SERVICES
    Start adding your services to the SERVICES chain (replace port 80 with whatever service you want to open):
    Code:
    iptables -A SERVICES -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
    Without saving, all rules will be lost after an iptables restart (reboot), to save the rules issue the following command:
    Code:
    service iptables save
    If your server is IPv6 enabled, repeat the process for your ip6tables.
     
    Last edited: Aug 21, 2016
    Blaasbalg, Aug 21, 2016
    #2
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    For those services, you need to allow udp port 53, and tcp ports 53,80,443 and whatever ispconfig runs on, eg. 8080. You might also want ssh access, which is tcp port 22.

    If you need FTP, allow tcp port 21 (and maybe a port range for data connections, see http://www.faqforge.com/linux/contr...ange-in-pure-ftpd-on-denian-and-ubuntu-linux/), and you must allow RELATED connections.

    An alternative to creating an entire iptables ruleset manually as above would be to install ufw and let ispconfig add the firewall rules for you. Or even from the cli, with:
    Code:
    # apt-get install ufw
# ufw allow 53/udp
# ufw allow 22/tcp
# ufw allow 53/tcp
# ufw allow 80/tcp
# ufw allow 443/tcp
# ufw allow 8080/tcp
# ufw enable
    And for FTP with passive port range from the faq add:
    Code:
    # ufw allow 21/tcp
# ufw allow 40110:40210/tcp
     
    Jesse Norell, Aug 22, 2016
    #3

Share This Page