paint-brush
Server Security Made Easy: Fortifying with iptables and Knockdby@martinbaun
240 reads

Server Security Made Easy: Fortifying with iptables and Knockd

by Martin BaunApril 19th, 2024
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

I'll show you how to set up a firewall and lockdown the whole server for anyone to access. You can use knockd, where a special sequence will open the port for just that IP address. First, make a file called iptables.sh and copy the following into /etc/knockd.conf.
featured image - Server Security Made Easy: Fortifying with iptables and Knockd
Martin Baun HackerNoon profile picture


Securing your server has never been easier. Here, I'll show how I set up a firewall and lockdown the whole server for anyone to access.

iptables will be the firewall for any incoming traffic, but what do you do with the ports you might want to be open sometimes, for some people? You can use knockd, where a special sequence will open the port for just that IP address.


Firewall using iptables

First, make a file called iptables.sh and copy the following.


#!/bin/sh

#*filter
# :INPUT ACCEPT [0:0]
# :FORWARD ACCEPT [0:0]
# :OUTPUT ACCEPT [0:0]

# INPUT
iptables -F INPUT
iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j DROP

# COMMIT
iptables -L -n -v

if your server has more things it does than just serving HTTP/HTTPS, you might want to add those ports:

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport THEPORTHERE -j ACCEPT

Notice that port 22 (SSH) is not here. This means that this will be locked down by running this. So, make a backup and keep your connection with ssh to avoid losing contact with your server.


If your server has more things it does than just serving HTTP/HTTPS, you might want to add those ports:

Installing Knockd on Ubuntu

After this, let's install Knockd. It depends on your OS, how to do this, and where the files are. I'll assume Ubuntu-based servers Fedora will look very similar as well. FreeBSD boys, you will have it in a completely different place, but I guess you'll know!

sudo apt install knockd


The default installation will make /etc/knockd.conf contains some random stuff. Let's remove that and insert the following instead.

# Insert into /etc/knockd.conf

[options]

        UseSyslog

[openSSH]
        sequence    = 5000,4000,6000,3000
        seq_timeout = 200
        command     = /sbin/iptables -I INPUT 2 -s %IP% -p tcp --dport 22 -j ACCEPT && /sbin/iptables -I INPUT 2 -s %IP% -p tcp --dport 5901 -j ACCEPT
        cmd_timeout  = 1800
        stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT && /sbin/iptables -D INPUT -s %IP% -p tcp --dport 5901 -j ACCEPT
        tcpflags    = syn


This opens port 22 if you knock on the server by opening ports 5000, 4000, 6000, and 3000 in that sequence. And only that sequence.

After this, let's make sure it starts upon restart by calling.

systemctrl enable knockd
service knockd status
reboot

and see that it runs after this. If it doesn't run, do not continue. It must run, as you won't be able to access the server without it.

Checking if knockd work🔗

If

service knockd status

shows it is enabled, it should be enabled. But to be super secure, let's try to enable iptables by running ./iptables.sh

BUT KEEP your existing ssh connection, as this is your lifeline to the server.


After this, let's try to connect using ssh from a different tab.

ssh root@yourIP

this should fail.


Now, let's run.

knock -d 100 your IP 5000 4000 6000 3000
ssh root@yourIP

If this works, it means we made a successful knock to the server, and it opened up for us.

Setting up iptables

The last thing is to make iptables permanent, and we can do that by adding the following to the crontab.

knock -d 100 your IP 5000 4000 6000 3000
ssh root@yourIP

This is an inelegant way, but it works and is simple. The "modern" way to do this is by using permanent iptables, but I would rather keep the system simple.

@reboot ./iptables.sh

For these and more thoughts, guides, and insights visit my blog at martinbaun.com