Skip to content

Instantly share code, notes, and snippets.

@OndrejValenta

OndrejValenta/Configuration of iptables for Redis, Graylog, Ping.md

Last active July 11, 2019 00:40
Show Gist options
  • Save OndrejValenta/96d28b5f019c905b239a52d9aa396553 to your computer and use it in GitHub Desktop.
Save OndrejValenta/96d28b5f019c905b239a52d9aa396553 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Configuration of iptables for Redis, Graylog, Ping.md

This is our set of iptables rules on Ubuntu 18.04

It is based on idea of blocked INPUT ports and opened OUTPUT ports but it would be smarter to close OUTPUT ports as well and just let open what we really need. Output rules in the rules below are not really needed because all OUTPUT traffic is open but when we decide to close it everything should keep working because the rules are already there.

We use Hetzner.com servers that are all in one private network. You should check you ifconfig to see what your interfaces are.

Let's start with the basics

Disable everything, enable ssh. Notice that for some iptables records we use -i parameter with ens10 (private network) or eth0 (public network) interfaces. You can safely remove this parameters/commands if you have only one interface you want to control.

Whenever you want to see the current state of iptables write this. Line numbers are useful for removal or inserts of your rules.

iptables -L -v --line-number

To delete a rule write

iptables -D [Chain uppercased INPUT, FORWARD, OUTPUT] [line number]

We first open everything, purge all records with -F parameter, then we add rules to open connections on INPUT chain for localhost and private network. We then specifically open port 22 for ssh to be able to connect to server and then we block INPUT and FORWARD chains so only the rules we set apply.

iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ens10 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -L -v

iptables-save

To have the rules persistant with each reboot of the server we install iptables-persistant that will ask you to create to new files (for you, automatically) for IPv4 and IPv6. Then you can reboot your machine and it's a lot safer then it was few minutes ago.

apt-get install iptables-persistent

Whenever you change anything in iptables just run this command to regenerate files generated in installation of iptables-persistant.

dpkg-reconfigure iptables-persistent

Graylog server - web and HTTP endpoint

iptables -A INPUT -i eth0 -p tcp -s [your (network) IP address/network mask] --match multiport --dport 9000,12201 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --match multiport --sport 9000,12201 -m conntrack --ctstate ESTABLISHED -j ACCEPT

PING

iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -s [your (network) IP address/network mask] -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp --icmp-type echo-request -m conntrack --ctstate ESTABLISHED -j ACCEPT

Redis

iptables -A INPUT -i eth0 -p tcp -s [your (network) IP address/network mask] --dport 6379 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 6379 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment