Firewalls

From Bibliotheca Anonoma
Revision as of 20:20, 30 January 2018 by Antonizoon (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

The Internet is a dangerous place, by being out in the open, your server is exposed to major threats. Threats exploit vectors of entry, which could be exposed services that run or listen to certain ports.

Thus, the right thing to do is to build a firewall to block these ports from outside access, and allow others with reservations.

Each server should not allow any traffic beyond the certain range of ports that it is allowed to use. This protects each server from the internet, and each other.

http://serverfault.com/questions/201298/why-should-i-firewall-servers

FirewallD[edit]

Install and enable FirewallD at boot:

sudo yum install firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld

We will use the public zone as our foremost and only zone, since we are using a server with only one network interface, eth0, and we are firewalling against the whole internet.

The first step is to enable the SSH service, since you probably want to retain the ability to connect remotely.

sudo firewall-cmd --permanent --zone=public --add-service=ssh

If you want to enable the HTTP and HTTPS service, add these services as well.

sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --permanent --zone=public --add-service=https

Finally, when you are sure that the ssh service is still enabled on the public zone, reload the rules and enable the zone. If it worked, you will still be able to connect via SSH, and can now access HTTP and HTTPS servers externally. All other ports/services will be blocked to the world (for now).

sudo firewall-cmd --reload
sudo firewall-cmd --zone=public --change-interface=eth0

You can now set up other services with the firewall in a similar way. Make sure to reload the rules right to commit your changes.

sudo firewall-cmd --reload

ufw[edit]

A CLI interface to iptables that is utterly uncomplicated. Great for Debian/Ubuntu home servers.

iptables[edit]

There's good ol' iptables for advanced configuration, but I don't really deal with it, so look elsewhere.