Protect a server with IPTables

  

I'll try to explain a simple way to protect a server using IPTables

1. Make flush of rules
2. Establishing default policies
3. Allow only what we want

The flush of rules drop any existing rules and leaves IPTables clean like it would be stopped.

iptables -F
iptables -X
iptables -Z
iptables -t nat -F

Establishing the default policies allowing all except incoming packets.

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

Now, I'll give full access to some machines which administer the server.

1. Full access for the own server. The IP of the own machine is always 127.0.0.1. We can specify as loopback interface.
2. Full access for a LAN machine which administer the server.

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.33 -j ACCEPT

Now, we are going to allow access for the different services of our server.

1. Web
2. Mail
3. SSH
4. DNS

I'll explain each case separately.

1. Web server

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

2. Mail server

Mail server uses port number 25 to send mails and ports number 143 and 993 to receive mails via IMAP and IMAPS (secure imap) respectively.

iptables -A INPUT -p tcp --sport 25 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT

3. SSH remote shell

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

4. DNS server

iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT

Finally I'll allow the responses of my pings.

iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

Probably, someone don't undestand why some rules includes ESTABLISHED,RELATED. Well, I'll try to explain as my way, perhaps although is not the correct one.

I'll begin with the ping rule, because is easier to explain. I don't want allow that someone make pings to my server, but I want to be able to make ping from my server. Well, I can make ping because the OUTPUT default policie is ACCEPT. The problem is that each ping petition needs a response and I must allow the incoming of these responses if I want that ping command works fine. But, I want allow the ping incoming packets only when I have been who makes the ping. Well, to especify that exactly in IPTables we must use ESTABLISHED,RELATED states. I allow incoming packets only when it provides of an established connection.

For DNS is the same. We make a question to a DNS server and this one responds. The problem is the response don't use the port number 53, although source port (--sport) is 53. For that reason I allow the incoming packets which source port is 53, but only when the connection was established by me.

For the Mail server I think that is same as DNS server.