VPS Setup Part 1 - Update Ubuntu and Configure iptables
Since the whole VPS (Virtual Private Server) thing is going so well for me, I thought that I would let my readers know about some of the steps that I took to set it up. In this episode I will be talking about updating the initially installed image and configuring the linux firewall using iptables.
Just as a side note, the VPS that I have is running Ubuntu 8.04 (Hardy Heron) so if you are using a different OS, you make have to do things a bit differently.
Update The Server
For those of you from the Windows world, this may seem to be shockingly easy. First, you need to edit the file which tells the system where to get all of the updates. I like to enable all of the sources, including universe and source code. To do this, you need to edit /etc/apt/sources.list:
sudo nano /etc/apt/sources.list
Remove the # characters in front of all the sources. When I was done, my sources.list file looked like this:
deb http://archive.ubuntu.com/ubuntu/ hardy main restricted universe
deb-src http://archive.ubuntu.com/ubuntu/ hardy main restricted universe
deb http://archive.ubuntu.com/ubuntu/ hardy-updates main restricted universe
deb-src http://archive.ubuntu.com/ubuntu/ hardy-updates main restricted universe
deb http://security.ubuntu.com/ubuntu hardy-security main restricted universe
deb-src http://security.ubuntu.com/ubuntu hardy-security main restricted universe
Now, update Ubuntu by entering these three commands one after another:
sudo aptitude –y update
sudo aptitude –y safe-upgrade
sudo aptitude –y full-upgrade
That’s all there is to it!
Configure iptables
In my opinion, this is the most important thing that you can do because it helps to restrict access to your VPS. The configuration that I am presenting here is just the basics that you should set out and you may want to tighten in down a bit afterward.
Backup
The first thing that you need to do is backup your present iptables rules:
iptables-save > /etc/iptables.up.rules
Create Filter
Next, you are going to want to create your filter. This is a set of rules that tells the firewall what you want to do with data packets that hit your network card.
First, allow all loopback (lo0) traffic and drop all traffic to 127.0.0.0/8 that doesn’t use lo0. This will allow you network services that run on your VPS to talk to other network services on your VPS:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
Next, accepts all established inbound connections. This means that anything that is already connected to your firewall will remain connected, even if there is a change to the rules. This is very handy to prevent you from locking yourself out of your virtual server if you accidentally disable the wrong port:
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
You want your VPS to be able to talk to anything on the Internet so you need to be enable that access:
sudo iptables -A OUTPUT -j ACCEPT
Since we are building a web server, we need to allows HTTP (port 80) and HTTPS (port 443) connections from anywhere on the Internet:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Linux servers are managed primarily via SSH. So, we need to make sure that we have an SSH port open. I decided to use a non-standard port (port 999) rather than the standard port 22:
sudo iptables -A INPUT -p tcp -m state --state NEW --dport 999 -j ACCEPT
The next line will allow you (and others) to ping your server. There is some debate as to whether or not you should allow pings but, in the end, it is really up to you:
sudo iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
We will be needing to know if there is anyone out there trying to tamper with our server. So, we are going to log iptables denied calls:
sudo iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Since we have configured all of the ports that we want access to, we will reject all other inbound traffic that is not explicitly allowed by a policy:
sudo iptables -A INPUT -j DROP
sudo iptables -A FORWARD -j DROP
Save Rules
Now that we have created out filter/rules, we need to save it:
sudo iptables-save > /etc/iptables.up.rules
When you are finished, your /etc/iptables.up.rules file should look something like this:
# Generated by iptables-save v1.3.8 on Fri Jul 18 02:03:12 2008
*filter
:INPUT ACCEPT [15:1712]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [15:9376]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/255.0.0.0 -i ! lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 999 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Fri Jul 18 02:03:12 2008
Configure Network to Load Rules Automatically
We need to make sure that these rules reload automatically whenever we reboot the server. Do this by editting the network interface to load the rules automatically:
sudo nano /etc/network/interfaces
Add pre-up iptables-restore < /etc/iptables.up.rules after iface lo inet loopback and then save the file.
Conclusion
With this short tutorial, we have upgraded and secured out VPS. In part 2, we are going to look at installing and configuring SSH so that we can remotely connect and manage the VPS plus we are going to add some security to our SSH sessions by changing the SSH port to 999 and setting up and using public and private keys with PuTTY in Windows.
If you found this post useful, why don't you buy me a cup of coffee to show your gratitude?
7 Responses to “VPS Setup Part 1 - Update Ubuntu and Configure iptables”
-
Grinch Says:
July 28th, 2008 at 6:25 amNice tutorial. Your hosting decision has really gotten me thinking. You site loads so much faster than it used to. Unfortunately I am not knowledgeable in the ways of Linux. It seems your tutorial is written for people who know a bit about Linux. Any chance you can make a dumbed down version for people like me?
-
Tim Fehlman Says:
July 28th, 2008 at 7:04 am@Grinch,
I have been considering turning some of the tutorials that I have written into inexpensive ebooks. I would be very interested in any feedback that you could provide me with that would make it easier for you to understand this and other tutorials. This goes for all my readers and all my tutorials.
Grinch, could you provide me with some details about what it was specifically that needed more details and information on? Thanks.
Tim
-
Curtis LaMasters Says:
July 28th, 2008 at 7:56 am@Grinch - If iptables is too confusing (and it is at times even for more advanced users), you can try UFW (Uncomplicated Firewall)which is part of the Ubuntu’s default install. Simple commands like “ufw enable”, “ufw status”, “ufw allow 80/tcp”, etc are as hard as it gets. Though, iptables is more powerful, for the large majority of the VPS’ out there, ufw may be enough.
Curtis
-
Tim Fehlman Says:
July 28th, 2008 at 8:36 pmGreat response, Curtis!
Tim
-
Grinch Says:
July 29th, 2008 at 6:41 am@Tim
What I really need to do is get around to installing a version of Linux and learning it. When it comes to Windows I know my stuff, hell it is what I do for a living but Linux has been one of those things I just keep avoiding.
But when you talk about updating Ubuntu you only mention editing the source list, you don’t mention how you actually update it.
I could probably follow your instructions and get everything accomplished but I wouldn’t quite understand what I did.
@Curtis
Thanks for the extra information. Like I said I just need to involve myself with Linux. I have enough hardware at work to do it so it isn’t like I can’t, I am just lazy. Semper Fi (MOS 2171, left active duty Feb 12, 2008).
-
Tim Fehlman Says:
July 29th, 2008 at 6:53 am@Grinch
I can’t believe that I forgot to put in the actual step to perform the upgrade! Thanks for pointing it out to me! I have updated the post!
In short, all you need to do is enter these three commands:
sudo aptitude –y update
sudo aptitude –y safe-upgrade
sudo aptitude –y full-upgrade -
chanio Says:
July 29th, 2008 at 11:33 pmTo use a firewall you should understand what do you need it for. I could not find a simpler way of using it…
About your future book:
when I first started using Linux, I noticed that what Windows was doing was very similar but it never let us notice that it was doing so…
It would be nice that as a guideline to introducing Linux you could ‘expand’ several jobs that a simple Windows system does into how a normal Linux box manages to do the same. That would simplify a lot. At least for the il-literated user (someone that has never studied at school all these but is experienced in using computers).
That could, as well, show the power of doing things from scratch compared to the standard and ‘behind the scenes’ Windows way…In my experience, even good Linux books become heavy to understand because there is no clear mapping about where is every chapter integrating in the normal use of all. You have to read a lot to start catching the complete scenery where all is taking place. Perhaps, you have to re-read the previous chapters after understanding how all integrates…
Thank you for you enlightening article, and all of your interesting ideas.
alberto
