If you are deploying a Linux based web server for production use you will be thinking about security. The first thing I think about is configuring iptables to limit the ports that web traffic can send or receive requests through.
What are iptables?
Iptables is basically a firewall that enables you to have detailed control of the content you want entering and leaving your server. Having this feature turned off will allow access to all ports on your server. This means an attacker might be able to gain access through one of those open ports and get control of your web server.
Iptables includes support for IPv4 and IPv6 protocols and a huge range of complex configurations. This post is simply focused on opening traffic to port 80 (HTTP) and 443 (HTTPS) and IPv4. You should be able to use the same process to open ports such as 21 (FTP) or 25 (SMTP). You can also apply these methods to IPv6,
With most Linux distributions, it is not necessary to install iptables because usually it’s bundled with it. However, it often allows all traffic by default.
IMPORTANT: You can only manage iptables as root.
If you haven’t configured any iptables you should get the following output:
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Adding iptables rules
Your Linux distribution will include an iptables config file.
You may wish to take a backup of the config file before you do anything:
cp -b /etc/sysconfig/iptables /tmp/iptables.bk
Open in a text editor of choice:
Or in case you wanted IPv6:
The file should contain something like this:
*filter :INPUT ACCEPT [6:424] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4:496] ...
Append the following lines to the final LOG and DROP lines for INPUT chain:
## allow everyone to access port 80 and 443 ## -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
Restart the iptables service:
You’re all set
Having at least a basic level of understanding of iptables is essential for deploying a production ready web server. You have the ability to allow access through only the ports you specify. This post covered:
- Listing the current iptables rules
- Good practice in backing up last config file
- Adding iptables rules to the config file
If you wish to open more ports then you can apply the same method. If you wish to understand iptables in greater detail you can visit the Linux Man site here http://linux.die.net/man/8/iptables