Securing your server has never been easier. Here, I'll show how I set up a firewall and lockdown the whole server for anyone to access. iptables will be the firewall for any incoming traffic, but what do you do with the ports you might want to be open sometimes, for some people? You can use knockd, where a special sequence will open the port for just that IP address. Firewall using iptables First, make a file called iptables.sh and copy the following. #!/bin/sh

#*filter
# :INPUT ACCEPT [0:0]
# :FORWARD ACCEPT [0:0]
# :OUTPUT ACCEPT [0:0]

# INPUT
iptables -F INPUT
iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j DROP

# COMMIT
iptables -L -n -v if your server has more things it does than just serving HTTP/HTTPS, you might want to add those ports: iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport THEPORTHERE -j ACCEPT Notice that port 22 (SSH) is not here. This means that this will be locked down by running this. So, make a backup and keep your connection with ssh to avoid losing contact with your server. If your server has more things it does than just serving HTTP/HTTPS, you might want to add those ports: Installing Knockd on Ubuntu After this, let's install Knockd. It depends on your OS, how to do this, and where the files are. I'll assume Ubuntu-based servers Fedora will look very similar as well. FreeBSD boys, you will have it in a completely different place, but I guess you'll know! sudo apt install knockd The default installation will make /etc/knockd.conf contains some random stuff. Let's remove that and insert the following instead. # Insert into /etc/knockd.conf

[options]

        UseSyslog

[openSSH]
        sequence    = 5000,4000,6000,3000
        seq_timeout = 200
        command     = /sbin/iptables -I INPUT 2 -s %IP% -p tcp --dport 22 -j ACCEPT && /sbin/iptables -I INPUT 2 -s %IP% -p tcp --dport 5901 -j ACCEPT
        cmd_timeout  = 1800
        stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT && /sbin/iptables -D INPUT -s %IP% -p tcp --dport 5901 -j ACCEPT
        tcpflags    = syn This opens port 22 if you knock on the server by opening ports 5000, 4000, 6000, and 3000 in that sequence. And only that sequence. After this, let's make sure it starts upon restart by calling. systemctrl enable knockd
service knockd status
reboot and see that it runs after this. If it doesn't run, do not continue. It must run, as you won't be able to access the server without it. Checking if knockd work🔗 If service knockd status shows it is enabled, it should be enabled. But to be super secure, let's try to enable iptables by running ./iptables.sh BUT KEEP your existing ssh connection, as this is your lifeline to the server. After this, let's try to connect using ssh from a different tab. ssh root@yourIP this should fail. Now, let's run. knock -d 100 your IP 5000 4000 6000 3000
ssh root@yourIP If this works, it means we made a successful knock to the server, and it opened up for us. Setting up iptables The last thing is to make iptables permanent, and we can do that by adding the following to the crontab. knock -d 100 your IP 5000 4000 6000 3000
ssh root@yourIP This is an inelegant way, but it works and is simple. The "modern" way to do this is by using permanent iptables, but I would rather keep the system simple. @reboot ./iptables.sh For these and more thoughts, guides, and insights visit my blog at martinbaun.com Securing your server has never been easier. Here, I'll show how I set up a firewall and lockdown the whole server for anyone to access. iptables will be the firewall for any incoming traffic, but what do you do with the ports you might want to be open sometimes, for some people? You can use knockd, where a special sequence will open the port for just that IP address. Firewall using iptables First, make a file called iptables.sh and copy the following. #!/bin/sh

#*filter
# :INPUT ACCEPT [0:0]
# :FORWARD ACCEPT [0:0]
# :OUTPUT ACCEPT [0:0]

# INPUT
iptables -F INPUT
iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j DROP

# COMMIT
iptables -L -n -v #!/bin/sh

#*filter
# :INPUT ACCEPT [0:0]
# :FORWARD ACCEPT [0:0]
# :OUTPUT ACCEPT [0:0]

# INPUT
iptables -F INPUT
iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j DROP

# COMMIT
iptables -L -n -v if your server has more things it does than just serving HTTP/HTTPS, you might want to add those ports: iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport THEPORTHERE -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport THEPORTHERE -j ACCEPT Notice that port 22 (SSH) is not here. This means that this will be locked down by running this. So, make a backup and keep your connection with ssh to avoid losing contact with your server. make a backup If your server has more things it does than just serving HTTP/HTTPS, you might want to add those ports: Installing Knockd on Ubuntu After this, let's install Knockd. It depends on your OS, how to do this, and where the files are. I'll assume Ubuntu-based servers Fedora will look very similar as well. FreeBSD boys, you will have it in a completely different place, but I guess you'll know! sudo apt install knockd sudo apt install knockd The default installation will make /etc/knockd.conf contains some random stuff. Let's remove that and insert the following instead. /etc/knockd.conf # Insert into /etc/knockd.conf

[options]

        UseSyslog

[openSSH]
        sequence    = 5000,4000,6000,3000
        seq_timeout = 200
        command     = /sbin/iptables -I INPUT 2 -s %IP% -p tcp --dport 22 -j ACCEPT && /sbin/iptables -I INPUT 2 -s %IP% -p tcp --dport 5901 -j ACCEPT
        cmd_timeout  = 1800
        stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT && /sbin/iptables -D INPUT -s %IP% -p tcp --dport 5901 -j ACCEPT
        tcpflags    = syn # Insert into /etc/knockd.conf

[options]

        UseSyslog

[openSSH]
        sequence    = 5000,4000,6000,3000
        seq_timeout = 200
        command     = /sbin/iptables -I INPUT 2 -s %IP% -p tcp --dport 22 -j ACCEPT && /sbin/iptables -I INPUT 2 -s %IP% -p tcp --dport 5901 -j ACCEPT
        cmd_timeout  = 1800
        stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT && /sbin/iptables -D INPUT -s %IP% -p tcp --dport 5901 -j ACCEPT
        tcpflags    = syn This opens port 22 if you knock on the server by opening ports 5000, 4000, 6000, and 3000 in that sequence. And only that sequence. After this, let's make sure it starts upon restart by calling. systemctrl enable knockd
service knockd status
reboot systemctrl enable knockd
service knockd status
reboot and see that it runs after this. If it doesn't run, do not continue. It must run, as you won't be able to access the server without it. Checking if knockd work🔗 If service knockd status service knockd status shows it is enabled, it should be enabled. But to be super secure, let's try to enable iptables by running ./iptables.sh ./iptables.sh BUT KEEP your existing ssh connection, as this is your lifeline to the server. After this, let's try to connect using ssh from a different tab. ssh root@yourIP ssh root@yourIP this should fail. Now, let's run. knock -d 100 your IP 5000 4000 6000 3000
ssh root@yourIP knock -d 100 your IP 5000 4000 6000 3000
ssh root@yourIP If this works, it means we made a successful knock to the server, and it opened up for us. Setting up iptables The last thing is to make iptables permanent, and we can do that by adding the following to the crontab. knock -d 100 your IP 5000 4000 6000 3000
ssh root@yourIP knock -d 100 your IP 5000 4000 6000 3000
ssh root@yourIP This is an inelegant way, but it works and is simple. The "modern" way to do this is by using permanent iptables, but I would rather keep the system simple. @reboot ./iptables.sh @reboot ./iptables.sh For these and more thoughts, guides, and insights visit my blog at martinbaun.com martinbaun.com

Walkthroughs, tutorials, guides, and tips. This story will teach you how to do something new or how to do something better.

Too Long; Didn't Read

Making security fun one episode at a time

Server Security Made Easy: Fortifying with iptables and Knockd

Too Long; Didn't Read

Martin Baun

STORY’S CREDIBILITY

Guide

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Server Security Made Easy: Fortifying with iptables and Knockd

Too Long; Didn't Read

Martin Baun

STORY’S CREDIBILITY

Guide

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES