Friday, May 13, 2016

Quick firewall setting for Ubuntu/Wordpress

To show current firewall rules, use
iptables -L
If it's empty, below are the steps to quickly add firewall rules, assuming you want to run a simple wordpress site (only allow loopback, ssh, http, https and drop the rest).
sudo iptables -I INPUT 1 -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -j DROP
Then save it to file to apply at reboot:
sudo sh -c "iptables-save > /etc/iptables.rules"
Create a script /etc/network/if-pre-up.d/iptablesload with content below:
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0
and a script /etc/network/if-post-down.d/iptablessave with content below:
#!/bin/sh
iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.downrules ]; then
       iptables-restore < /etc/iptables.downrules
fi
exit 0
Don't forget to 
sudo chmod +x /etc/network/if-post-down.d/iptablessave
sudo chmod +x /etc/network/if-pre-up.d/iptablesload
****note if you want to allow ftp then add these to iptables rules
sudo iptables -I INPUT -p tcp --dport 21 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 20 -j ACCEPT

and you have to change pam_service_name=vsftpd to pam_service_name=ftp near the end of your /etc/vsftpd.conf file