Building Professional Web Hosting Solution
<< Securing and Protecting Linux System Course
>> Linux Hardening Rules and IPtables Firewall Section
Since Syslog and Messages files log random system events, hence, Redirecting IPtables Firewall Logging Location to its own file is better option. IPtables Logging redirection and Persistent rules would be the last thing to finalize IPtables Setup. Log rules will redirect IPtables default logging location from /var/log/syslog (Under Debian Based) and /var/log/messages (Under Red Hat Based) to it’s own logging file located at /var/log/iptables.log.
Objectives:
1. Redirecting IPtables Logging Location
2. Red Hat Based – IPtables Rules Persistent
3. Red Hat Based – IPtables Rules Persistent
4. Disallow Pinging your VPS from Outside
Prerequisites:
A. Basic Debian or Red Hat System Knowledge
B. Login to your DigitalOcean or Vultr Account
Recommendations:
For better performance, use VPS with at least 2 CPUs, 4G Memory, 1G Bandwidth, and SSD Storage drive.
Table of Contents
Redirecting IPtables Logging Location
Run the following steps (1 to 6)
IPtables default logging location is either kern.log, syslog, or messages files. I recommend to create its own logging file.
1. Create iptables.conf under /etc/rsyslog.d/
nano /etc/rsyslog.d/iptables.conf
Copy and paste below log settings inside iptables.conf
#!/bin/bash # IPtables LOGGING RULES # # The script uses log level 7 across all log events # Log Specific IPtables Events which contains "IPT " or "IP6 " :msg,contains,"IPT " -/var/log/iptables.log :msg,contains,"IP6 " -/var/log/iptables.log :msg,contains,"IPT " ~ :msg,contains,"IP6 " ~ #log everything else to /var/log/iptables.log kern.=debug /var/log/iptables.log # "~" or "stop" prevent log lines from application iptables to be processed by any other filters & stop # prevent log lines from application iptables to be processed by any other filters
Note: Using older versions of rsyslog, you may have to replace the word stop on the last line with the ~ character; on newer version of Debian, Ubuntu, CentOS the ~ character as a stop indicator has been deprecated and will cause warning messages when (re)starting the rsyslog service. For now I am using stop value instead of ~ character.
Save: Ctrl-X, Hit Y Key, and Enter
2. Create a log rotate iptables file under /etc/logrotate.d/
nano /etc/logrotate.d/iptables
Copy and past the following code inside iptables file
#!/bin/bash
/var/log/iptables.log
{
rotate 10
monthly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog reload >/dev/null 2>&1 || true
endscript
}
Save: Ctrl-X, Hit Y Key, and Enter
3. Restart Rsyslog Service
service rsyslog restart
Verify IPtables Log Rotation
Note: If you still don’t see iptables.log file yet, wait few minutes till IPtables generate some logging. To generate some logging, open another SSH session. You should see iptables.log created among the log files under /var/log directory:
4. View logging location
ls -lah /var/log/ | grep iptables
The log shoud be created as shown below.
[...]
-rw-r----- 1 root adm 0 Mar 9 21:34 iptables.log
[...]
5. Run the Log Rotation Manually
Log rotation will happens automatically, but for testing purpose you can run the command manually, however, wait few more minutes before running the command.
logrotate -vf /etc/logrotate.d/iptables
Optional – To rotate all log files, run the following command.
logrotate -vf /etc/logrotate.conf
6. View IPtables Logs Again
ls -lah /var/log/ | grep iptables
[...] -rw-r----- 1 root adm 2.7K Mar 10 09:43 iptables.log -rw-r----- 1 root adm 415K Mar 10 09:43 iptables.log.1 [...]
As you probably noticed, *.log.1 indicates that the file has been rotated and new file created. After certain number of weeks, iptables.log file will be rotated few times and later on the old logs will be deleted as stated under /etc/logrotate.d/iptables.
Debian Based – IPtables Rules Persistent
WARNING!!! As of this writing and testing on DigitalOcean, IPtables Rules Persistent at the startup disabled the public interface. A conflict is happening some where. Using only IPtables Script at the startup is just fine and you don’t need IPtables persistent rules as shown below.
Note: Step 3 below to restore the IPtables rules at startup is disabled by default, however, you can set step 1 and 2 to save the rules to a file if the system rebooted.
Run the following steps (1 to 8)
1. Create IPtables Save File
nano /etc/network/if-post-down.d/iptables
Paste the following:
#!/bin/bash # IPtables Save Rules iptables-save > /etc/network/iptables.rules ip6tables-save > /etc/network/ip6tables.rules
Save: Ctrl-X, Hit Y Key, and Enter
2. Apply Execution Permission
chmod +x /etc/network/if-down.d/iptables
3. Create IPtables Restore File
nano /etc/network/if-up.d/iptables
Paste the following:
#!/bin/bash # IPtables Restore Rules #iptables-restore < /etc/network/iptables.rules #ip6tables-restore < /etc/network/ip6tables.rules
Save: Ctrl-X, Hit Y Key, and Enter
As you can see, when you restart the VPS, persistence will save iptables rules under /etc/network for IPv4 and IPv6 respectively, and restore them at the startup.
4. Apply Execution Permission
chmod +x /etc/network/if-up.d/iptables
Red Hat Based – IPtables Rules Persistent
These are optional steps since IPtables Script will run at the startup, but if you still like to set IPtables Rules Persistent, here are the steps for you.
Run the following steps (1 to 5)
1. Save IPtables Firewall Rules
/sbin/service iptables save
You should see the following output:
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
2. Save IP6tables Firewall Rules
/sbin/service ip6tables save
You should see the following output:
ip6tables: Saving firewall rules to /etc/sysconfig/ip6table[ OK ]
3. Verify IPtables Saving
IPtables should be saved under /etc/sysconfig/ folder
cat /etc/sysconfig/iptables
And
cat /etc/sysconfig/ip6tables
4. Edit IPtables Script
nano /etc/network/iptables/iptfw4and6-single-node.sh
Add the following IPtables saving commands at the end of the IPtables Script right before “exit 0”.
# IPtables Saving Commands /sbin/service iptables save # IP6tables Saving Commands /sbin/service ip6tables save exit 0
5. Reapply IPtables Script
/etc/network/iptables/iptfw4and6-single-node.sh
You will notice the saving output at the end.
[...] iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] ip6tables: Saving firewall rules to /etc/sysconfig/ip6table[ OK ]
Disallow Pinging your VPS from Outside
There are 2 methods to disallow pinging your VPS:
- IPtables Rules
- Kernel Rules
A. Disallow Pinging using IPtables Rules
Run the following steps (1 to 2)
1. Edit IPtables Firewall Script
nano /etc/network/iptables/iptfw4and6-single-node.sh
Ctrl-w and search for “Authorize Pinging“, don’t copy the quotes.
To disallow pinging at the public interface, comment the following lines as shown below:
# Authorize Pinging with Limit Protection # Allow Incoming pinging through Public Interface #$IPT -A INPUT -i $PUB_IF -p icmp --icmp-type echo-request -m limit --limit 1/s -m comment --comment "Accept ICMP echo." -j ACCEPT #$IP6 -A INPUT -i $PUB_IF -p ipv6-icmp --icmpv6-type echo-request -m limit --limit 1/s -m comment --comment "Accept ICMP echo." -j ACCEPT
Save: Ctrl-X, Hit Y Key, and Enter
2. Reapply IPtables Firewall Script
/etc/network/iptables/iptfw4and6-single-node.sh
B. Disallow Pining using Kernel Rules
Note: Using IPtables, will disallow pining from specific interface such Public Interface, but using Kernel Rules, will disable incoming pinging into all interface cards. As single VPS, it should be fine if you like to disable pinging into all interface cards. However, if I have Multiple VPS instances and I am using Private Network, I would use IPtables instead to disable pinging only into Public Interface.
Run the following steps (1 to 2)
1. Edit Kernel Rules Script
nano /etc/network/iptables/kernel-hardening-rules.sh
Press Ctrl-w and Search for Ping. Flip 1 to 0 as shown below:
# Disable Globally Ping Response from Public or Private Networks.
$SYSCTL net.ipv4.icmp_echo_ignore_all=1
Save: Ctrl-X, Hit Y Key, and Enter
2. Re-apply Kernel Rules
/etc/network/iptables/kernel-hardening-rules.sh
Allow Pinging Again
Note: Remember the following when dealing with kernel rules:
0 (zero) -> Rule Disabled / OFF
1 (one) -> Rule Enabled / ON
Edit kernel-hardening-rules.sh again and flip 1 to 0:
# Disable Globally Ping Response from Public or Private Networks. $SYSCTL net.ipv4.icmp_echo_ignore_all=0
Then, run Only this specific Kernel Rule
sysctl net.ipv4.icmp_echo_ignore_all=0[divider top=”no]
By Linux IPtables Firewall by Arch | Debian IPtables Firewall | CentOS IPtables Firewall
Subject Related
Building Professional Web Hosting Solution
<< Securing and Protecting Linux System Course
>> Linux Hardening Rules and IPtables Firewall Section
LEAVE A COMMENT