Continuing to lock down the server as part of project uptime a bit more.. I highly recommend enabling and using iptables on every Linux server. I want to restrict inbound traffic to the server to only SSH (tcp port 22) and HTTP(S) (tcp port 80/443). Here’s the process
Check the current rules on the server
[code]sudo iptables -L [/code]
Add rules to allow SSH, HTTP and HTTPS traffic and all traffic from the loopback interface
[code]sudo iptables -I INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp –dport ssh -j ACCEPT
sudo iptables -A INPUT -p tcp –dport http -j ACCEPT
sudo iptables -A INPUT -p tcp –dport https -j ACCEPT
[/code]
Drop any traffic that doesn’t match the above mentioned criteria
[code]sudo iptables -A INPUT -j DROP [/code]
save the config and create script for the rules to survive reboots by running
[code]sudo su –
iptables-save > /etc/firewall.rules[/code]
now create a simple script that will load these rules during startup. Ubuntu provides a pretty neat way to do this. You can write a simple script and place it in /etc/network/if-pre-up.d and the system will execute this before bringing up the interfaces. You can get pretty fancy with this, but here is a simple scrip that I use
[code]
samurai@samurai:/etc/network/if-pre-up.d$ cat startfirewall
#!/bin/bash
# Import iptables rules if the rules file exists
if [ -f /etc/firewall.rules ]; then
iptables-restore </etc/firewall.rules
fi
exit 0
[/code]
Now you can reboot the server and check if your firewall rules are still in effect by running
[code]sudo iptables -L [/code]