Am I doing everything right in iptables?

A

Alexander777xx2018-06-21 19:13:22

linux

Alexander777xx, 2018-06-21 19:13:22

I have a game server (minecraft), on it there is a vulnerability in Bangeecord that you can connect to the server bypassing authorization through a different port (Except 25565, on which the authorization server is located).
Did I correctly close this vulnerability using iptables?:
(First, I closed ALL incoming and outgoing connections for all protocols (TCP, UDP, etc.)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
(Opened incoming port 25565 ONLY for tcp protocol so that players can connect)
iptables -A INPUT -p tcp --dport 25565 -j ACCEPT
(They say that UDP is insecure and does not guarantee stable operation, or should UDP also be opened?)
(ONLY opened incoming port 21, for FTP access, ONLY over TCP protocol)
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
(So now I can upload files to the server, but I can’t download? Therefore, if someone finds out the password from FTP, he won’t be able to merge files from there?)
(Opened incoming port 22 , to control the server via putty (TCP ONLY))
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
(Save changes)
iptables-save
Did I do everything right? Are my reasoning correct? Or do you still need to open UDP at port 25565 or, on the contrary, close something for security? Did I open the port for FTP and Putty correctly, or do I need to do something else, or, on the contrary, close something for security?
PS Please do not judge strictly, I am a beginner and do not really understand this.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

V

vreitech, 2018-06-21
@Alexander777xx

> They say that UDP is insecure and does not guarantee stable operation, or should UDP also be opened?
it is necessary to open UDP or not - depends on the application. if your minecraft server can work using the UDP protocol, then you can open it, and if it requires working using the UDP protocol or does not know how to work using the TCP protocol, then you will have to open UDP.
> So now I can upload files to the server, but I can't download them?
You can upload and download.

E

EvilMan, 2018-06-21
@EvilMan

If you set the DROP policy to OUTPUT as well, then you need to add symmetric allowing rules to it. For example, if you have a rule iptables -A INPUT -p tcp --dport 22 -j ACCEPT, then you will need a rule iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT. But the common practice is that OUTPUT is left empty with the ACCEPT policy.
It is also common to add a type rule iptables -A INPUT -i lo -j ACCEPTto allow communication between processes on the host itself, and the rule

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

in order to allow response packets.
iptables-save does not save changes, it only prints the current ruleset to stdout. Where iptables settings are stored depends on the Linux distribution. For example, on Debian-like distributions, it is better to install the netfilter-persistent and iptables-persistent packages so that firewall settings can be loaded at boot.
In general, iptables and firewall configuration require good knowledge of networks and protocols, and you won’t be able to master them at once, but only by reading the documentation (fortunately, there is a good translation of the iptables tutorial on opennet.ru).