Month: June 2023

Iptables Debian 11 Bullseye configuration

Install iptables Debian 11 (Bullseye) and basic rules initial configuration.

IPtables is being replaced by nftables starting with Debian 10 Buster. Debian 11 comes with nftables framework. So to install iptables first we need uninstall nftables and its dependencies.

Uninstall nftables and its dependencies.

#apt-get remove --auto-remove nftables
#apt-get purge nftables

Install IPtables in Debian 11

#apt-get update -y
#apt-get install iptables -y

Configure iptables rules for website

Faster way paste this on console

/sbin/iptables -F && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP && /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP && /sbin/iptables -I INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT && /sbin/iptables -A INPUT -i lo -j ACCEPT && /sbin/iptables -A OUTPUT -o lo -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT && /sbin/iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT && /sbin/iptables -P OUTPUT ACCEPT && /sbin/iptables -P INPUT DROP

New script only open port 80, 443, 25, 465,587

/sbin/iptables -F && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP && /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP && /sbin/iptables -I INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT && /sbin/iptables -A INPUT -i lo -j ACCEPT && /sbin/iptables -A OUTPUT -o lo -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 587 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT && /sbin/iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT && /sbin/iptables -P OUTPUT ACCEPT && /sbin/iptables -P INPUT DROP

Debian 11 IPtables persistent make your iptables rules persistent install iptables-persistent package:

#apt-get install iptables-persistent

Debian 11 IPtables Save to update iptables with new rules use IPtables Save

#iptables-save > /etc/iptables/rules.v4
#ip6tables-save > /etc/iptables/rules.v6

Debian 11 Restore to restore iptables configuration form iptables

#iptables-restore < /etc/iptables/rules.v4

#/usr/sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

Apache Virtual Hosts on Debian 10

Configure virtual hosts for mydomainname.com
#cd /var/www
#mkdir -p /var/www/mydomainname.com
#chmod -R 755 /var/www/mydomainname.com
#chown -R www-data:www-data /var/www/mydomainname.com
#mkdir -p /var/log/apache2/mydomainname.com
#cd /etc/apache2/sites-available/
#cp 000-default.conf mydomainname.com.conf

#vim mydomainname.com.conf

Insert code below

<VirtualHost *:80>

ServerAdmin webmaster@localhost
ServerName mydomainname.com
ServerAlias www.mydomainname.com mydomainname.com

DocumentRoot /var/www/mydomainname.com
<Directory /var/www/mydomainname.com>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/mydomainname.com/error.log
CustomLog ${APACHE_LOG_DIR}/mydomainname.com/access.log combined

</VirtualHost>

Activate

#a2ensite mydomainname.com.conf
Enabling site mydomainname.com.
To activate the new configuration, you need to run:
  systemctl reload apache2
# systemctl reload apache2

Check

#ls -la /etc/apache2/sites-enabled/
total 8
drwxr-xr-x 2 root root 4096 May 31 18:35 .
drwxr-xr-x 9 root root 4096 Apr 10 15:07 ..
lrwxrwxrwx 1 root root   35 Apr 10 13:23 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root   54 May 31 18:30 mydomainname.com.conf -> /etc/apache2/sites-available/mydomainname.com.conf

To add more virtual hosts for another domain please follow the step above