How to properly configure iptables with fail2ban on a VPS (debian 7)?

A

Arman2015-01-05 11:30:05

Debian

Arman, 2015-01-05 11:30:05

Good afternoon.
Somehow it did not work with iptables at all, now I decided to set everything up correctly and added fail2ban as well.
Presently:

#iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-ssh -j RETURN

Shoveled a bunch of articles and each has its own rules. In fact, I only need to:
Deny all external traffic, except for ping, 22 (ssh), 80 (http)
And make sure that after the server is overloaded, the rules are saved. They say that standard utilities have appeared to save the rules?
Thank you

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

E

evgenyks, 2015-01-09
@Arik

Install:
The system will offer to save the existing iptables rules to the /etc/iptables/rules.v4 files for IPv4 and /etc/iptables/rules.v6 for IPv6 - save.
Open the /etc/iptables/rules.v4 file, clean it up and paste it:

*filter

# входящие запрещены
:INPUT DROP [0:0]

# перенаправления запрещены
:FORWARD DROP [0:0]

# исходящие разрешены
:OUTPUT ACCEPT [0:0]

# локально разрешено всё
-A INPUT -i lo -j ACCEPT

# пинг и прочие icmp ответы сервера разрешены
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT

# разрешены только установленные соединения
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# некорретные/ненужные пакеты запрещены
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

# открываем доступ к ssh-порту, 80 порту и какие вам нужно
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

COMMIT

Apply the rules:
Restart fail2ban:
Check the rules: Sorry
I don't remember where I got it!