This is part two of the three part tutorial on securing your CentOS server.
1. Bruteforce and DoS Attack Prevention
2. IP Tables Firewall
3. SSH Hardening
In this tutorial, we will be creating a basic firewall using IPTables.
First we must create a service that is owned by "superuser"
1. sudo vim /etc/rc.d/init.d/firewall
Now enter the following data in the file
2.
#! /bin/bash
#chkconfig: 2345 20 80
#description: iptables rules to prevent communication on unused ports.
#Reset all rules (F) and chains (X), necessary if have already defined iptables rules
iptables -t filter -F
iptables -t filter -X
#Start by blocking all traffic, this will allow secured, fine grained filtering
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
#Keep established connexions
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Allow loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
#HTTP
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
#FTP
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
#SMTP
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
#POP3
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
#IMAP
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
#ICMP
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
#SSH
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
#DNS
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
#NTP
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
Save the script under "/etc/rc.d/init.d". Now we must make the script executable.
1. chmod +x /etc/rc.d/init.d/firewall
2. bash /etc/rc.d/init.d/firewall
Now add it to start up with your server
1. chkconfig --add firewall
2. chkconfig firewall on
Now you are protected with a base level firewall.
