iptables is a package and kernel module for Linux that uses the netfilter hooks within the Linux kernel to provide filtering, network address translation, and packet mangling. iptables is a powerful tool for turning a regular Linux system into a simple or advanced firewall.
Firewall & iptables basics
Rules are first come first serve
In iptables much like other (but not all) firewall filtering packages the rules are presented in a list. When a packet is being processed, iptables will read through its rule-set list and the first rule that matches this packet completely gets applied.
For example if our rule-set looks like below, all HTTP connections will be denied:
Allow all SSH Connections
Deny all connections
Allow all HTTP Connections
If the packet was for SSH it would be allowed because it matches rule #1, HTTP traffic on the other hand would be denied because it matches both rule #2 and rule #3. Because rule #2 says Deny all connections the HTTP traffic would be denied.
This is an example of why order matters with iptables, keep this in mind as we will see this later in this article.
Rsync is a great tool to replicate, sync some data on your computer. And I’m heavily relying on it to backup my server and to mirror some opensource projects and GNU/Linux Distributions.
But I’ve recently found a Web interface to manage all my rsync tasks called websync.
Websync is a web based rsync task manager where you can add, edit, clone, remove, scheduled,…. your rsync tasks while being able to have a remote host as source or destination of the task (With SSH RSA key too)
Under the free license MIT, Websync has been developped by Sander Struijk and is still actively being maintained, as you can see on github forum. But it is still an early project, so if you face any issue, make sure to report them on the issue tracker.
Interested to give it a shot, here is how to install Websync!
rsync is used to perform the backup operation in UNIX / Linux.
rsync utility is used to synchronize the files and directories from one location to another in an effective way. Backup location could be on local server or on remote server.
Important features of rsync
Speed: First time, rsync replicates the whole content between the source and destination directories. Next time, rsync transfers only the changed blocks or bytes to the destination location, which makes the transfer really fast.
Security: rsync allows encryption of data using ssh protocol during transfer.
Less Bandwidth: rsync uses compression and decompression of data block by block at the sending and receiving end respectively. So the bandwidth used by rsync will be always less compared to other file transfer protocols.
Privileges: No special privileges are required to install and execute rsync
Syntax
$ rsync options source destination
Source and destination could be either local or remote. In case of remote, specify the login name, remote server name and location. Lire la suite…
Here’s how you can block traffic coming from an IP, list of IPs, full networks or even entire countries. This is done under a Debian 7 x86 server so adapt the commands to your distro of choice…
1 – Install ipset, for commands reference check http://ipset.netfilter.org
apt-getinstall ipset
2 – Setup your sets, sets are basically lists in which you’ll add all the IP or IP networks to it, in this case I’m creating a list to support IP Networks (x.x.x.x/yy form). If you need to create a set to support individual IPs use the hash:ip option.
#Create 3 lists, 2 to support networks and 1 to support single IP addresses
#hash:net = Networks
#hash:ip = single IPs
# Command is ipset -N setname [set options], but I'm using default
# options here
ipset-Nchina hash:net
ipset-Nsome-country hash:net
ipset-Nbadguys hash:ip
# Now we list the just created sets with:
ipset-L
Appropriate firewall rules heavily depend on the services being run. Below are iptables rulesets to secure your Linode if you’re running a web server. These are given as an example! A real production web server may want or require more or less configuration and these rules would not be appropriate for a file or database server, Minecraft or VPN server, etc.
iptables rules can always be modified or reset later, but these basic rulesets serve only as a beginning demonstration.
IPv4
/tmp/v4
*filter# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-AINPUT -ilo -jACCEPT
-AINPUT ! -ilo -s127.0.0.0/8 -jREJECT# Allow ping and traceroute.
-AINPUT -picmp --icmp-type3 -jACCEPT
-AINPUT -picmp --icmp-type8 -jACCEPT
-AINPUT -picmp --icmp-type11 -jACCEPT# Allow SSH connections.
-AINPUT -ptcp -mstate --stateNEW --dport22 -jACCEPT# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-AINPUT -ptcp --dport80 -jACCEPT
-AINPUT -ptcp --dport443 -jACCEPT# Accept inbound traffic from established connections.
-AINPUT -mstate --stateESTABLISHED,RELATED -jACCEPT# Log what was incoming but denied (optional but useful).
-AINPUT -mlimit --limit5/min -jLOG --log-prefix"iptables_INPUT_denied: " --log-level7# Reject all other inbound.
-AINPUT -jREJECT# Log any traffic which was sent to you
# for forwarding (optional but useful).
-AFORWARD -mlimit --limit5/min -jLOG --log-prefix"iptables_FORWARD_denied: " --log-level7# Reject all traffic forwarding.
-AFORWARD -jREJECTCOMMIT
Optional: If you plan to use Linode Longview, add this additional rule below the section for allowing HTTP and HTTPS connections:
# Allow incoming Longview connections
-A INPUT -s longview.linode.com -m state --state NEW -j ACCEPT