2016-12-14 14:24:30 0 Comments Linux Boy.Lee

2017 Centos 6 Web Server iptables Classial Config Rules List

I did onece server switch at the end of 2016, this time I did review of Centos 6 iptables rules, not find any topic suite for web server iptables config, so I write this topic to list and explain all iptables rules. I hope this topic can help your undestand iptables.


{ Server Environment }

Standard LNMP(Centos 6.4 + php 5.6 + mysql 5.6 + nignx 1.10) Web Server


{ Requirement }

  1. Closs all unsafe prot
  2. Open Web Server need ports, for client request
    1. ssh - 22 (or the changed port)
    2. http - 80
    3. https - 443
    4. mysql - 3306 
    5. ftp - 21 + passive ports(like 50000 to 51000)
  3. Open ports for on server operate
    1. dns - 53
    2. ping
    3. http - 80
    4. https - 443
    5. send mail - 25
  4. Defensive Rules, like for DDOS 


{ Rules List }

FYI, you can't direct copy the rules from this topic and use, because for some reason we need change rules' order, if don't change the order, will couse serious problem. This topic fouce on show and explain all need rules, if you want use the rules in produce environment you can direct read next topic <<2017 CLASSICAL IPTABLES CONFIG RULES DEMO FOR CENTOS 6 WEB SERVER>>

###Clean Rules
iptables -P INPUT ACCEPT
#this 3 commonds set all 3 links to open, means all allow
iptables -F
iptables -X
#this 2 for clean all rules
#You have to run the follow 5 commands one by one at the begin!! If you don't you may lost control of your server, and you have to restart it

###Basic Rules
iptables -A INPUT -p tcp --dport 22  -j ACCEPT #ssh default port 22
iptables -A INPUT -p tcp --dport yiilib.com  -j ACCEPT #ssh new port, if new port is 33333, just replace yiilib.com with 33333
#because 22 is ssh default port, and usually we will change it for safety reason. The change will cost problem, so STRONG SUGGESTION keep 22 and new port at begin and remove it after all set. For how to delete rules you can find it later in this topic.

iptables -A INPUT -p tcp --dport 21 -j ACCEPT #ftp connection port 21
iptables -A INPUT -p tcp -m tcp --dport 50000:50100 -j ACCEPT  # ftp passive port 50000-51000
#The SSH and FTP make you keep control of the server, this is why I put it in the begin. If you lost control you lost everything!

#Common rules
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT #allow icmp packet in(for ping)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow established and related packet in
iptables -A OUTPUT -p icmp --icmp any -j ACCEPT #allow icmp packet out(for ping)
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow established and related packet out

#loopback and localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#loopback is for This rule is for php-fpm's and other condition like it.

iptables -A INPUT -s localhost -d localhost -j ACCEPT #allow local packet in
iptables -A OUTPUT -s localhost -d localhost -j ACCEPT #allow local packet out
#some topics tell you add localhost rule, but for web server loopback is enough

###Application Level
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT #For https request need open port 443, in this case client can use browser open your site's https link
#You may thinking of output rule, we don't need it because we already set "#allow established and related packet out", keep this in mind for follow rules.

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT #http need port 80, user can send http request for open http site

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT #for mysql remote login, don't add if you don't need, it's not safe, but if you have to use it, try forbin root account and use complex account+password, in this case it should be safety enough

iptables -A INPUT -p tcp --dport 8989 -j ACCEPT #allow input 8989 port for ss
#I didn't test this one yet, just put it here.

###On Server Operate
#support for: open url on server(include wget download, yum operate), ping on server, send email from server, etc.
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT #open port 53 for DNS
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT #https
#no INPUT because we already have "#allow established and related packet in"
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT #http
iptables -A OUTPUT -p tcp --dport 123 -j ACCEPT #use ntpdate update date

###Defensive Rules

#Handle IP Fragment,prevent attack, allow 100/s
iptables -A FORWARD -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT 

#for ping, allow 1/s since 101
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT 

# ddos
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/min --limit-burst 100 -j ACCEPT 

###Close all unsafe port
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
#Drop for all not match event. only the rules we write above are allow, others will be drop directly. You can also use ACCEPT for OUTPUT and FORWARD, then just remove all rules for OUTPUT and FORWARD. But keep this in mind, DROP is more safety than ACCEPT


{ iptables Check and Edit}

#list all rules, for delete and insert you can direct count rule in the list to get count number, count since 1
iptables -L -n

#delete one rule
iptables -D OUTPUT 3 #delete OUTPUT No.3
iptables -D INPUT 2
iptables -D FORWARD 2

#Insert one rule
iptables -I INPUT 3 -p tcp -m tcp --dport 20 -j ACCEPT #insert at INPUT No.3


{ Save iptables }

Before save the change for iptables will be clean after reboot, so do save after all ready. And also keep in mind, you can do restart to rollback if anything wrong, for some condition you need hard reboot.

###Save and apply
service iptables save #save iptables
service iptables restart #restart iptables


{ GET Control Back }

The most danger thing in change iptables is if anything wrong you will lost control of the server, you can use the follow 4 methods to get control back.

  1. if you can use SSH, login and edit iptables.
  2. if you can use FTP, login and edit /etc/sysconfig/iptables, then do reboot, the new rules will working after reboot. But keep inmind DO NOT direct edit the iptables file, unless you have to, it's not safe!!
  3. if you can reboot server, do reboot iptables will roolback, sometime you need use hard reboot instand of soft reboot.
  4. Contact Engine Room, ask them do iptables clean for you.