Basic iptables Configuration

It’s always a good idea to setup a local firewall on hosts that are on unprotected networks. The internet “winds” blow harder and harder each day, and it’s only a matter of time before some daemon has an exploit that gets taken advantage of. I use CentOS 5 for all my web servers, and here is an example of the script I use to create a DEFAULT TO DENY set of firewall rules. This script generates a file called iptables in /etc/sysconfig.

I used to create a special rule for MySQL that only allowed connections from my own network, but lately I have been omitting this rule and tunneling the connection through ssh instead. That is why it is commented out in the script below.


### SCRIPT ###
#!/bin/sh
# Drop all incoming traffic
/sbin/iptables -P INPUT DROP
# Drop all forwarded traffic
/sbin/iptables -P FORWARD DROP
# Allow all outgoing traffic
/sbin/iptables -P OUTPUT ACCEPT
# Allow returning packets
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow incoming traffic on port 80 for web server
/sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Allow MySQL only from a certain network
/sbin/iptables -A INPUT -p tcp -m tcp -s XXX.XXX.XXX.0/24 --dport 3306 -j ACCEPT
# Allow local traffic
/sbin/iptables -A INPUT -i lo -j ACCEPT
# Allow incoming SSH on port 22
#/sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Allow ping
/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
/sbin/iptables-save > /etc/sysconfig/iptables
chmod go-r /etc/sysconfig/iptables
/sbin/sudo service iptables restart
### /SCRIPT ###

Here is what /etc/sysconfig/iptables looks like after running this script:


# Generated by iptables-save v1.3.5 on Wed Dec 31 13:47:40 2008
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [12:8972]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
COMMIT
# Completed on Wed Dec 31 13:47:40 2008

After you are done, make sure you have iptables setup to start when the system boots.


# /sbin/chkconfig --list | grep iptables

iptables       	0:off	1:off	2:on	3:on	4:on	5:on	6:off

If it’s not on, just run:

/sbin/chkconfig iptables on

Install Solaris Package in Alternate Base Directory

Unless you specify a different administrative file, the pkgadd command reads “/var/sadm/install/admin/default”, which specifies the base directory as “/opt”. Do not change the settings in this file, but rather create a custom admin file and enter an alternate “basedir” directive if you want to install your package into a different directory. We are going to install our package into “/var/applications”, and call our custom admin file “custom”.

First, create and edit “/var/sadm/install/admin/custom”, adding a line similar to this:
basedir=/var/applications/$PKGINST

Next, issue the pkgadd command with the “-a” flag to call you alternative admin file:

pkgadd -d device -a custom PackageName

This really comes in handy when your customers want to retain control over their packages, but you don’t want to give them access to write packages into the system area. More detailed instructions can be found here.

World’s Coolest Datacenter

Ever since coming to work at UC Santa Cruz, I have been feeling pretty lucky to work in a well engineered and managed datacenter. So lucky, in fact, that I’ve been cultivating hatred towards me in my former coworkers by regaling them with stories about how wonderfully designed everything is here. The problem with thinking you have it made though, is that someone will always point out some greener grass in another field.

This is exactly what happened when I saw this article about the Pionen datacenter, owned by Bahnhof in Sweden. Located nearly 100 feet beneath the city of Stockholm, this epic datacenter has been compared (fairly I might add) to the secret layer of a James Bond villian. It’s got backup power provided by twin submarine engines, triple-redundant internet backbone connections, and can reportedly stand up to a Hydrogen bomb. We spend so much time and effort trying to make our servers comfortable when designing datacenters, we often forget about the Human element. Even though these guys are literally working in a cave, it’s nice to see that Bahnhof is trying to make its people comfortable as well.