ISPConfig 3 : What is the best Firewall / IPtables config ? (after install on Debian 8)

Discussion in 'Installation/Configuration' started by nif, Aug 21, 2016.

  1. nif

    nif New Member

    Hi
    I follow your the good tutorial to install ISPconfig : The Perfect Server – Debian 8 Jessie (Apache2, BIND, Dovecot, ISPConfig 3) but I have some questions about iptables config.

    ==>
    What is the best IPTABLES config after install ISPconfig ? for a simple web server (dns / apache / local mysql) with 2/3 websites ?
    ==> Can you help me to configure ? (For example I see MySQL port open with distant nmap and that is no good)
    Thanks.

    My current ISPCONFIG SERVICES :
    Code:
    Web-Server:    Online
    FTP-Server:    Online
    SMTP-Server:    Online
    POP3-Server:    Online
    IMAP-Server:    Online
    DNS-Server:    Online
    mySQL-Server:    Online
    
    My current IPTABLES CONFIG :
    Code:
    iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination        
    fail2ban-postfix-sasl  tcp  --  anywhere             anywhere             multiport dports smtp
    fail2ban-pureftpd  tcp  --  anywhere             anywhere             multiport dports ftp
    fail2ban-dovecot-pop3imap  tcp  --  anywhere             anywhere             multiport dports pop3,pop3s,imap2,imaps
    fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination        
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination        
    
    Chain fail2ban-dovecot-pop3imap (1 references)
    target     prot opt source               destination        
    RETURN     all  --  anywhere             anywhere           
    
    Chain fail2ban-postfix-sasl (1 references)
    target     prot opt source               destination        
    RETURN     all  --  anywhere             anywhere           
    
    Chain fail2ban-pureftpd (1 references)
    target     prot opt source               destination        
    RETURN     all  --  anywhere             anywhere           
    
    Chain fail2ban-ssh (1 references)
    target     prot opt source               destination        
    RETURN     all  --  anywhere             anywhere       
    NMAP OPEN PORT TEST
    Code:
     ~  nmap -T4 -F XXX.XXX.XXX.XXX
    
    Starting Nmap 7.12 ( https://nmap.org ) 
    Nmap scan report for
    Host is up (0.054s latency).
    Not shown: 85 closed ports
    PORT     STATE    SERVICE
    21/tcp   open     ftp
    22/tcp   open     ssh
    25/tcp   filtered smtp
    53/tcp   open     domain
    80/tcp   open     http
    110/tcp  open     pop3
    143/tcp  open     imap
    443/tcp  open     https
    465/tcp  open     smtps
    587/tcp  open     submission
    993/tcp  open     imaps
    995/tcp  open     pop3s
    3306/tcp open     mysql
    8080/tcp open     http-proxy
    8081/tcp open     blackice-icecap
    
    Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds
     
  2. Blaasbalg

    Blaasbalg Member

    Literally all ports are open considering you haven't specified a REJECT rule in your INPUT chain (the default policy ACCEPT is used if no matching rule is encountered), therefore all inbound connections are accepted.

    To accomodate the use of conntrack later on, we first have to setup a rule to allow ESTABLISHED connections:
    Code:
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    After that, add a REJECT rule at the end of the INPUT chain:
    Code:
    iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
    Do the same for the FORWARD chain:
    Code:
    iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    Since you have no rules specified at all, this will close all ports. I recommend to add an additional chain for your services:
    Code:
    iptables -N SERVICES
    Refer to it in your INPUT chain (Note: the line number supplied is dependant on the rules present in your INPUT chain, if you have modified your INPUT chain in the mean time, adjust this number accordingly, it must come before the REJECT rule):
    Code:
    iptables -I INPUT 6 -j SERVICES
    Start adding your services to the SERVICES chain (replace port 80 with whatever service you want to open):
    Code:
    iptables -A SERVICES -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
    Without saving, all rules will be lost after an iptables restart (reboot), to save the rules issue the following command:
    Code:
    service iptables save
    If your server is IPv6 enabled, repeat the process for your ip6tables.
     
    Last edited: Aug 21, 2016
  3. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    For those services, you need to allow udp port 53, and tcp ports 53,80,443 and whatever ispconfig runs on, eg. 8080. You might also want ssh access, which is tcp port 22.

    If you need FTP, allow tcp port 21 (and maybe a port range for data connections, see http://www.faqforge.com/linux/contr...ange-in-pure-ftpd-on-denian-and-ubuntu-linux/), and you must allow RELATED connections.

    An alternative to creating an entire iptables ruleset manually as above would be to install ufw and let ispconfig add the firewall rules for you. Or even from the cli, with:
    Code:
    # apt-get install ufw
    # ufw allow 53/udp
    # ufw allow 22/tcp
    # ufw allow 53/tcp
    # ufw allow 80/tcp
    # ufw allow 443/tcp
    # ufw allow 8080/tcp
    # ufw enable
    And for FTP with passive port range from the faq add:
    Code:
    # ufw allow 21/tcp
    # ufw allow 40110:40210/tcp
    
     

Share This Page