HOW-TO Setup Ubuntu Server in the Cloud - Part II

See Part I of this article

This is Part II of Setup Ubuntu Server in the Cloud series.

4. Install and configure a firewall
Having a firewall in your system is mandatory. Configuring it correctly is even more important. I use 'iptables' for that matter and here is the command to install it, and then check its configuration which, at this time is empty:

dambrosio@XXXCNN4730:~$ sudo apt-get install iptables
dambrosio@XXXCNN4730:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Iptables allow users to add or remove firewall rules using command line arguments like, for example, 'iptables -A INPUT...' or 'iptables -I INPUT...'. So we will add a script to run every time at startup and configure our firewall. Copy the text below and paste (and save - duh) into a file called '/etc/iptables-firewall'. Some of these steps and settings were taken from this article at Ubuntu Forums and some from Linux Help.

#!/bin/sh
# 
# In order to use this IPTables firewall script you
# must have IPTables installed.
#
# Script created by dambrosio based on some online resources
# http://www.linuxhelp.net/guides/iptables/
# http://ubuntuforums.org/showthread.php?t=159661
#
# No spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi 
# No icmp
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
iptables -I INPUT -p icmp -j ACCEPT
# The following rules will clear out any existing firewall rules, 
# and any chains that might have been created.
echo "Clearing rules and chains"
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X
# These will setup our policies.
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Now, our firewall chain. We use the limit commands to 
# cap the rate at which it alerts to 15 log messages per minute.
echo "Creating Firewall chains"
iptables -N firewall
iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
iptables -A firewall -j DROP
# Now, our dropwall chain, for the final catchall filter.
iptables -N dropwall
iptables -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
iptables -A dropwall -j DROP
# Our "hey, them's some bad tcp flags!" chain.
iptables -N badflags
iptables -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
iptables -A badflags -j DROP
# And our silent logging chain.
iptables -N silent
iptables -A silent -j DROP
# Drop those nasty packets! These are all TCP flag 
# combinations that should never, ever occur in the
# wild. All of these are illegal combinations that 
# are used to attack a box in various ways, so we 
# just drop them and log them here.
echo "Configuring malformed packets"
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags
iptables -A INPUT -m state --state INVALID -j badflags
# Allow ESTABLISHED and RELATED incoming connection so client-side things
# like ftp work properly
echo "Allow established and related"
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Allow loopback"
iptables -A INPUT -i lo -j ACCEPT
echo "Allow cloud server monitoring"
iptables -A INPUT -s 200.234.197.143 -j ACCEPT
iptables -A INPUT -s 200.234.197.144 -j ACCEPT
iptables -A INPUT -s 200.234.197.145 -j ACCEPT
# Allow internet services like FTP, Web Server etc.
#
echo "Allow Web Services"
# Web Server
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT
# SSH Server
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
# Drop port 137 netbios packets silently. 
# We don't like that netbios stuff, and it's way too 
# spammy with windows machines on the network.
iptables -A INPUT -p udp --sport 137 --dport 137 -j silent
# Our final trap. Everything on INPUT goes to the dropwall 
# so we don't get silent drops.
iptables -A INPUT -j dropwall
# End message
echo " [End iptables rules setting]"

Make this script executable

dambrosio@XXXCNN4730:~$ sudo chmod +x /etc/iptables-firewall

Now copy the text below and paste (and save - duh) into a file called '/etc/iptables-flush' and make it executable. These are the commands used to stop the firewall from the init script which we will create later on.

dambrosio@XXXCNN4730:~$ sudo vi /etc/iptables-flush
dambrosio@XXXCNN4730:~$ sudo chmod +x /etc/iptables-flush

Here is the code to add to the file:

#!/bin/sh
# Clear all settings in the firewall
#
# Set the default policy
#
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#
# Set the default policy for the NAT table
#
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
#
# Delete all rules
#
iptables -F
iptables -t nat -F
#
# Delete all chains
#
iptables -X
iptables -t nat -X
# End message
echo " [End of flush]"

Now we want to tell our server to configure the firewall every time it is started, so we will create an initialization script and add some symlinks to init rc folders. We will create the '/etc/init.d/firewall' file and make it executable

dambrosio@XXXCNN4730:~$ sudo vi /etc/init.d/firewall
dambrosio@XXXCNN4730:~$ sudo chmod +x /etc/init.d/firewall

#!/bin/bash
# script to start the iptables firewall
RETVAL=0
# To start the firewall
start() {
  echo -n "Iptables rules creation: "
  /etc/iptables-firewall
  RETVAL=0
}
# To stop the firewall
stop() {
  echo -n "Removing all iptables rules: "
  /etc/iptables-flush
  RETVAL=0
}
case $1 in
  start)
    start
    ;;
  stop)
    stop
    ;;
  restart)
    stop
    start
    ;;
  status)
    /sbin/iptables -L
    /sbin/iptables -t nat -L
    RETVAL=0
    ;;
  *)
    echo "Usage: firewall {start|stop|restart|status}"
    RETVAL=1
esac
exit

Last but not least we shall add the symlinks to the startup folders:

dambrosio@XXXCNN4730:~$ sudo update-rc.d firewall defaults
 Adding system startup for /etc/init.d/firewall ...
   /etc/rc0.d/K20firewall -> ../init.d/firewall
   /etc/rc1.d/K20firewall -> ../init.d/firewall
   /etc/rc6.d/K20firewall -> ../init.d/firewall
   /etc/rc2.d/S20firewall -> ../init.d/firewall
   /etc/rc3.d/S20firewall -> ../init.d/firewall
   /etc/rc4.d/S20firewall -> ../init.d/firewall
   /etc/rc5.d/S20firewall -> ../init.d/firewall

Well, that is just a simple setup, but it should help you have a Ubuntu server running with fairly safe settings.

See Part I of this article