Simple iptables Rules for Ubuntu/ Debian VPS

Simple iptables Rules for Ubuntu/ Debian VPS

Get Social!

The following iptables rules are are a starting point to add basic firewall security to a public facing server, such as a public VPS. The primary focus is to stop any inbound traffic other than SSH, which is required for shell access.

[the_ad id=”2698″]

The biggest issue with public VPS providers is that often some iptables features are disabled – many OpenVZ container providers don’t allow state checking in iptables, for example. If you’ve got one of these VPS’s you’ll likely see the following error:

iptables: No chain/target/match by that name.

These rules are engineered so that they will work with most VPS’s where iptables is installed.

The following rules will block all incoming connections except SSH, including PING requests. Outgoing is open for HTTP and HTTPS TCP requests and DNS UDP requests.

See the links at the bottom of the page for a more in depth look at iptables rules.

# Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Inbound SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

# Outbound HTTP/S
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT

# Outbound DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT

# default policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

If you’re using Ubuntu, you can easily make the rules persist:

apt-get install iptables-persistent
service iptables save

 


Install DataStax Cassandra 3 on Debain/ Ubuntu

Get Social!

datastax-logoThe following process will install the DataStax distribution of Cassandra on any Debian based system, such as Debian or Ubuntu. We’ll use the official DataStax apt repositories to install Cassandra using apt-get.

Cassandra is written in Java and the latest version (at the time of writing) of Cassandra requires Java 8. You can use either OpenJDK or visit my Oracle Java post on installing the Oracle distribution of Java 8.

Once you have Java 8 installed and confirmed you can continue to install Cassandra. Use java -version on the command line to check your Java version.

java -version
java version "1.8.0_91"
Java(TM) SE Runtime Environment (build 1.8.0_91-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.91-b14, mixed mode)

Install DataStax Cassandra 3.4

Note: You can use the simple Bash script to install Java 8 and a single instance of Cassandra found here.

The first step to installing Cassandra with apt is to add the DataStax Cassandra repository and repository key to your local apt list. Run the following command to add the required repository and update your local apt cache. Change the version 3.4 on the first line to match the version you’d like to install.

echo "deb http://debian.datastax.com/datastax-ddc 3.4 main" | tee -a /etc/apt/sources.list.d/cassandra.sources.list
curl -L https://debian.datastax.com/debian/repo_key | apt-key add -
apt-get update

Once you’re updated then run the install command and begin the Cassandra install.

apt-get install datastax-ddc

Debian’s policy is for software to be available locally after the install has completed and therefore your Cassandra instance will be running as a single stand alone node.

You can run the nodetool to check the install has completed and that the Cassandra instance is available.

nodetool status

Datacenter: datacenter1
=======================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving
--  Address     Load       Tokens       Owns (effective)  Host ID                               Rack
UN  10.10.10.10 1.29 MB    256          100.0%            c25d396e-fa09-4bf6-837d-676d57cd7987  rack1

The next step is to configure your Cassandra instance by editing the yaml config file /etc/cassandra/cassandra.yaml but that’s a blog post for another day.


DataStax Cassandra 3.2 Bash Install Script

Get Social!

The below script installs the DataStax distribution of Cassandra 3.2.x and the latest Oracle Java 8 on Debian. Copy and paste the script into a file called install_cassandra.sh and execute it as root.

Change the version 3.2 on line 12 to match the version you’d like to install.

#!/bin/bash
set -e

apt-get update
apt-get install -y wget curl

echo "Installing repos"
echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee /etc/apt/sources.list.d/webupd8team-java.list
echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886

echo "deb http://debian.datastax.com/datastax-ddc 3.2 main" | tee -a /etc/apt/sources.list.d/cassandra.sources.list
curl -L https://debian.datastax.com/debian/repo_key | apt-key add -


echo "Installing binaries"
apt-get update
echo oracle-java7-installer shared/accepted-oracle-license-v1-1 select true | /usr/bin/debconf-set-selections
apt-get install -y oracle-java8-installer datastax-ddc

echo "Complete"

Then connect to the local Cassandra instance run the cqlsh tool.

cqlsh

Connected to Test Cluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 3.2.1 | CQL spec 3.4.0 | Native protocol v4]
Use HELP for help.
cqlsh>

 


MongoDB 3.2 Bash Install Script

Get Social!

The below script installs MongoDB 3.2.x on Debian. Copy and paste the script into a file called install_mongo.sh and execute it as root.

#!/bin/bash
set -e

echo "Installing repo"
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv EA312927

echo "deb http://repo.mongodb.org/apt/debian wheezy/mongodb-org/3.2 main" > /etc/apt/sources.list.d/mongodb-org-3.2.list


echo "Installing binaries"
apt-get update
apt-get install -y mongodb-org
service mongod stop


echo "Setting up default settings"
rm -rf /var/lib/mongodb/*
cat > /etc/mongod.conf <<'EOF'
storage:
  dbPath: /var/lib/mongodb
  directoryPerDB: true
  journal:
    enabled: true
  engine: "wiredTiger"

systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log

net:
  port: 27017
  bindIp: 0.0.0.0
  maxIncomingConnections: 100

replication:
  oplogSizeMB: 128
  replSetName: "rs1"

security:
  authorization: enabled

EOF

service mongod start
sleep 5

mongo admin <<'EOF'
use admin
rs.initiate()
exit
EOF

sleep 5

echo "Adding admin user"
mongo admin <<'EOF'
use admin
rs.initiate()
var user = {
  "user" : "admin",
  "pwd" : "admin",
  roles : [
      {
          "role" : "userAdminAnyDatabase",
          "db" : "admin"
      }
  ]
}
db.createUser(user);
exit
EOF

echo "Complete"

Then connect to the local MongoDB instance

mongo admin -u admin -p admin

MongoDB shell version: 3.2.7
connecting to: admin
rs1:PRIMARY>

 


Start Ubuntu Without Starting The Gnome Desktop (text mode)

Get Social!

If you’ve installed a desktop, such as Gnome, on Linux you may not need it all the time. Some of the time taken to boot your machine when you first turn it on is used by loading the GUI and everything that comes with it. In addition, once it’s loaded it will consume resources such as RAM.

Once you install a desktop such as Gnome, especially on Ubuntu/ Debian, the default is to boot your computer into the GUI.

You could set the desktop not to load by default so that you’re presented with a terminal login screen on boot.console-login

You can then load the desktop, such as Gnome, if you need to or just use the terminal if you don’t.

To disable the Desktop on boot you’ll need to edit the grub config file and edit the GRUB_CMDLINE_LINUX_DEFAULT parameter.

vi /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT will likely be quiet splash and you’ll need to change that to quiet splash text.

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash text"

Save and close the file.

The last step is to run the update-grub command to update the grub bootloader config.

update-grub

Your computer will now always boot in text mode, that is, without a desktop.

Start the Desktop

If you ever want to start the desktop, log in to the terminal session with your user name and password and run the following:

gnome-session

 


How To Fix A Full /boot Partition on Linux

Get Social!

full-boot-mountUtilities such as apt-get generally install kernel updates by adding the new kernel to the Linux boot list and set it as the default. This means that the next time the system boots, the new kernel will be loaded. The problem is that the old kernel is still there (just incase the new one doesn’t work, you’ve got a fall back!), and the kernel before that, and the kernel before that…

The current 3.x kernel for Ubuntu is around 20MB so it doesn’t take long for the kernel updates to fill a tiny 200-or-so-Mb boot partition where they are stored.

The good news is that it’s easy to clear out the old updates, but it’s important to not remove the latest one that you’re using.

Which Kernel am I Running?

It’s quick and easy to see which kernel version you are running. Use the uname command with the -a switch and pay attention to the version numbers reported.

uname -a
3.19.0-47-generic

This shows that you’re using version 3.19.0-47.

List Currently Installed Kernels

Next you’ll need to list the kernel packages that are currently installed so that you can remove any outdated ones to free up the space on the /boot partition.

Run the below dpkg command to list the installed kernel packages and their versions.

dpkg --list 'linux-image*'

dpkg-kernel-package-listThe above output shows several versions of kernel that are all taking up space on the /boot partition however we only really need the current running version given by the above uname -a command. It’s a good idea to keep the last 2 kernels just incase you notice an issue down the line, but the above list is quite excessive.

Remove Unused Kernel Packages to Free Space on /boot

Once you’ve identified your current kernel and the kernel packages you have installed it’s time to remove the ones you don’t need.

Using apt-get enter the package names of the kernel packages to remove.

apt-get remove linux-image-3.19.0-25-generic

If you get an error running this command then see the next section.

note: the above screenshot of the installed packages cropped the full version name – it’s missing the generic part. You can use tab completion with the apt-get command, or use an asterisk after the version number to remove the required package. 

Errors Removing Packages

If you get an error warning about dependencies similar to the below then you may need to manually remove a few kernel packages to free up some space.

[root@server:~] $apt-get remove linux-image-extra-3.19.0-25-generic
Reading package lists... Done
Building dependency tree
Reading state information... Done
You might want to run 'apt-get -f install' to correct these:
The following packages have unmet dependencies.
 linux-image-generic-lts-vivid : Depends: linux-image-3.19.0-49-generic but it is not going to be installed
                                 Depends: linux-image-extra-3.19.0-49-generic but it is not going to be installed
                                 Recommends: thermald but it is not going to be installed
E: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution).

The problem here is that the original update failed to install the latest version of the kernel (version 3.19.0-49-generic in this case) and apt-get doesn’t like doing anything else until that problem has been resolved.

First we need to free up some space. Carefully delete 2 of the older kernel packages with a command similar to the below, but with old version numbers from your system returned by the above section List Currently Installed Kernels.

rm /boot/*-3.19.0-25*
rm /boot/*-3.19.0-33*

Check and double check this command because there’s no going back once it’s ran! It’s perfectly safe to do as long as you are using old version numbers that you’re no longer using.

You can now run apt-get to complete the original upgrade now that it has the space. This will remove the error when trying to remove the unused kernel packages in the above section.

apt-get install -f

Now go back to the above section and remove the old kernel packages that you no longer need.


Visit our advertisers

Quick Poll

Do you use GlusterFS in your workplace?

Visit our advertisers