DynDNS.com - Support -- Knowledge Base -- iptables and Spring Server VPS

• About
• Services
• Account
• Support
• News
•  

iptables and Spring Server VPS

Spring Server VPS instances purchased after August 12, 2009 are pre-configured to only allow incoming connections on ports 22, 80 and 443 using iptables. This article will provide a brief overview of the default firewall rules in Spring Server instances and how to modify them to include additional ports.

Please note: It is possible to accidentally lock yourself out of your Spring Server instance with a mistyped iptables entry. You can regain access using the serial console, then follow the instructions below to either delete the mistake or restore the default rules.

Default firewall rules

The default IPv4 iptables entries are as follows:

*filter
:INPUT DROP [1000:900000]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 13 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 30 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT

The default IPv6 entries (using ip6tables) are:

*filter
:INPUT DROP [1000:900000]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s ::1 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 13 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 30 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT

These default policies perform the following actions:

• ACCEPT incoming TCP connections on ports 22, 80 and 443
• ACCEPT incoming ICMP connections (ping) on ports 8, 13 and 30
• ACCEPT outgoing connections on any procotol or port
• DROP all other incoming traffic on any protocol or port

These default rules should meet most needs, as they allow incoming SSH/SFTP (22), HTTP (80) and HTTPS (443) traffic while allowing all other outgoing connections. However, adding opening new ports in the firewall is fairly easy.

Adding a new rule

First, use the command iptables-save to print the list of existing firewall rules (you will need to use sudo or log in as root for the necessary permissions):

sudo iptables-save > iptables-backup.txt

Make a copy of this file, then edit the copy in your favorite editor. Adding a new port is as simple as filling in the blanks:

-A INPUT -p **PROTOCOL** -m **PROTOCOL** --dport **PORT** -j ACCEPT

The above line adds the rule to the INPUT chain, which affects incoming connections. Replace the **PROTOCOL** with the desired type, such as tcp, udp or all, and replace **PORT** with the ports you will need. You can add a port range by separating the upper and lower values as X:Y, such as 80:82.

Here is an example pair of firewall rules that open port ranges between 27000 and 27050 for Team Fortress 2 on TCP and UDP on IPv4:

-A INPUT -p tcp -m tcp --dport 27000:27050 -j ACCEPT
-A INPUT -p udp -m udp --dport 27000:27050 -j ACCEPT

When you are finished, use iptables-restore to load your new list of rules like so:

sudo iptables-restore < iptables-new.txt

If there are any errors, you will receive a warning when you try to restore from the text file. Otherwise, you should be all set. You will need to repeat this process with ip6tables-save and ip6tables-restore if you wish to enable IPv6 access on those ports as well. (If you accidentally lock yourself out of your instance, you can regain access using the serial console.)

Deleting a rule

The process for removing a rule is the same as adding a rule: make a copy of the current rules with iptables-save and ip6tables-save, remove the unwanted rule, then reload your configuration with iptables-restore and ip6tables-restore.

Restoring the default rules

Simply copy the rulesets listed above, then load them into the appropriate tables with iptables-restore and ip6tables-restore. You can also reload one of the backup copies you made while editing the initial rules (or copies of subsequent changes).

Saving your rules

On boot, your Spring Server loads the firewall rules from the iptables rule files. On Ubuntu and Debian, these are at /etc/iptables.conf and /etc/ip6tables.conf. On Centos and Fedora, they are at /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. To preserve your modified firewall rules during reboot, just copy your iptables-new.txt to the correct v4 or v6 config file location. On the next boot, these configs will be loaded by iptables. For example, to do this on Debian for ipv4:

sudo cp iptables-new.txt /etc/iptables.conf

© 1998-2010  Dynamic Network Services Inc.  -  Legal Notices  -  Privacy Policy  -  Contacts