DEV Community

Wycliffe A. Onyango
Wycliffe A. Onyango

Posted on

100 Days of DevOps: Day 13

#linux #devops #bash #security

Firewall Implementation on Nautilus Infrastructure

I have successfully implemented a security enhancement on the Nautilus infrastructure in the Stratos DC. This article outlines the comprehensive steps taken to secure Apache's port, including the reasoning behind each action, and provides a clear guide for future maintenance.

Why the Firewall Was Necessary

Previously, Apache's port 3004 was left open for all incoming connections, which posed a significant security vulnerability. An open port is an entry point, making the system susceptible to various attacks, including unauthorized access attempts, port scanning, and Denial-of-Service (DoS) attacks. The decision to install and configure iptables was made to enforce a strict security policy, ensuring that only trusted traffic from the Load Balancer (LBR) could reach the web servers. This principle of least privilege—where access is granted only when absolutely necessary—is a fundamental component of robust cybersecurity.

Step-by-Step Implementation

The implementation of the firewall was a multi-stage process to ensure the rules were applied correctly and persisted through reboots. Here are the steps that were performed on each application host:

Step 1: Install iptables and its Dependencies

The first step was to install the firewall management utility, iptables. On different Linux distributions, the command varies slightly, but the goal is the same: to get the necessary tools to create and manage firewall rules.

  • For Debian/Ubuntu-based systems:

    sudo apt-get update
sudo apt-get install iptables-persistent

    The iptables-persistent package is crucial because it includes a service that automatically saves and reloads your rules upon system boot, ensuring the firewall remains active even after a reboot.

  • For RHEL/CentOS/Fedora-based systems:

    sudo yum install iptables-services
sudo systemctl enable iptables

    This command installs the iptables service and enables it to start automatically at boot time, managing the persistence of your rules.

Step 2: Add and Arrange Firewall Rules

The order of iptables rules is critical because the firewall processes rules sequentially from top to bottom. The first rule that a packet matches is the one that is applied, and all subsequent rules are ignored for that packet.

The rules were added in the following specific order to ensure correct functionality:

  1. Allow established connections: This is a best practice to ensure ongoing connections (like SSH sessions for administration or responses to outbound requests) are not dropped.

    sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

  2. Allow traffic from the LBR host: This is the most crucial rule for the web application. It explicitly allows incoming traffic on port 3004 only from the LBR's IP address. This rule must be placed before any generic drop rules.

    sudo iptables -A INPUT -p tcp -s <LBR-IP> --dport 3004 -j ACCEPT

    (Replace <LBR-IP> with the actual IP address of your Load Balancer.)

  3. Drop all other traffic: This rule acts as a catch-all. It drops any other incoming connections to port 3004 that did not match the previous rule. This is the core of the security measure.

    sudo iptables -A INPUT -p tcp --dport 3004 -j DROP

  4. Add other necessary rules: It's important to also allow traffic for other services like SSH (port 22) to prevent locking out administrative access.

    sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

The rules were verified using the command sudo iptables -L INPUT -v -n to confirm their correct order and configuration before proceeding.

Step 3: Make Rules Persistent

The final and most important step was to save the newly configured rules. iptables rules are ephemeral by default, meaning they are stored in memory and would be lost after a reboot.

  • For Debian/Ubuntu-based systems:

    sudo netfilter-persistent save

    This command saves the rules to the /etc/iptables/rules.v4 file, and the installed service ensures they are loaded automatically on system startup.

  • For RHEL/CentOS-based systems:

    sudo service iptables save

    This command saves the rules to the /etc/sysconfig/iptables file.

With these steps completed, the website is now protected, and a significant security concern has been successfully resolved. The web application can continue to serve legitimate traffic from the LBR while remaining secure from unauthorized external connections.

Top comments (0)