IPtables Installation And Configuration success KodeKloud Engineer Task

Ticker

6/recent/ticker-posts

IPtables Installation And Configuration success KodeKloud Engineer Task

NB Tech Support

 Question :  We have one of our websites up and running on our Nautilus infrastructure in Stratos DC. Our security team has raised a concern that right now Apache's port i.e 8081 is open for all since there is no firewall installed on these hosts. So we have decided to add some security layer for these hosts and after discussions and recommendations we have come up with the following requirements:

1. Install iptables and all its dependencies on each app host.

2. Block incoming port 8081 on all apps for everyone except for LBR host.

3. Make sure the rules remain, even after system reboot.


Please Note :-  Perform the below commands based on your question server,  user name & other details that might differ. So please read task carefully before executing. All the Best 👍

Solution:  

1. At first login on App server  ssh tony@stapp01

2. Switch to  root user : sudo su -

3. Run Below command to install IPtables service 

    yum install  -y iptables-services

4. Start & enable the IPtables service below commands

    systemctl start iptables && systemctl enable iptables


5. Add below IPtables Rules as per your task ( Please check port no as per your task)


iptables -A INPUT -p tcp --destination-port 8081 -s 172.16.238.14 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 8081 -j DROP


6. Add below IPtables Rules  for successful task completion 

    iptables -L --line-numbers

    iptables -R INPUT 5 -p icmp -j REJECT

7.  Finally saved the rules to ensure they remain persistent across reboot

      service iptables save 

8.  For persistent across reboot restart IPtables service & validate

    systemctl restart iptables && systemctl status iptables


9.  Validate the task by listing Iptables Rules post restart services.


    Telnet or Curl the Apache port 8081  ( Please check port no as per your task)

    From LB server it should be reachable & accessible

    Whereas  form Jump server it should not be accessible 


Please Note :- I have shown only for stapp01You have to do this in all app server stapp01,stapp02, stapp03. 

10.  Click on Finish & Confirm to complete the task successfully

Happy Learning!!!!


Apart from this if you need more clarity,  I have made a  tutorial video on this , please go through and share your comments. Like and share the knowledge






Tags:

Post a Comment

13 Comments

  1. Phoenix10 January 2021 at 11:28

    If the above solution didn't work with recent iptables. Please try the following.

    ---
    iptable -I INPUT -s -p tcp --dport 5004 -j ACCEPT
    ---

    In the latest iptables installation adding rules to the end will fail the task, as there are some default rules that rejects all the incoming calls with "reject-with icmp-host-prohibited".

    You must add the accept rule to top of the INPUT rules.

    ReplyDelete
    Replies
    1. NB Tech Support12 January 2021 at 21:46

      Thanks Phoenix, Yes if any one face issue please apply rules suggested by Mr. Phoenix

      Delete
    2. Unknown2 February 2022 at 15:55

      I did just that and you guys marked me as wrong, and by the way, I've tested that on the lab, once you reboot the host you loose all the rules you've applied, to make it stick, for some reason, you need to issue chkconfig on iptables

      Delete
  2. Akash25 April 2021 at 00:36

    yum install iptables-services -y
    systemctl start iptables && systemctl status iptables
    systemctl enable iptables
    iptables -L
    iptables -A INPUT -p tcp --destination-port 8086 -s 172.16.238.14 -j ACCEPT or iptables -A INPUT -p tcp -s 172.16.238.14 --dport 6400 -j ACCEPT
    iptables -A INPUT -p tcp --destination-port 8086 -j DROP
    service iptables save
    systemctl restart iptables

    I am unable to access the port from LoadBalancer Server Please help me

    ReplyDelete
    Replies
    1. NB Tech Support28 April 2021 at 03:07

      Hi Akash, hope you have gone through the video below
      try this additional rule to apply . save and restart the services
      iptables -L --line-numbers
      iptables -R INPUT 5 -p icmp -j REJECT

      Delete
    2. Anonymous29 January 2023 at 11:24

      thank you!
      can you tell me why this rule need added? its icmp protocol and we reject him. Why?

      Delete
    3. NB Tech Support31 January 2023 at 06:17

      You welcome. as there are default rules that rejects all the incoming calls with "reject-with icmp-host-prohibited". to restrict for ICMP we change protocol from all to ICMP. If you have still have any queries feel free to connect me online chat support in working hours.

      Delete
  3. Ра17 October 2021 at 04:33

    iptables -I INPUT 1 -p tcp --destination-port 8081 ! -s 172.16.238.14 -j REJECT

    ReplyDelete
    Replies
    1. NB Tech Support19 October 2021 at 03:27

      Thanks PA for this one linear rule, but for beginner need to understand so kept simple

      Delete
  4. Anonymous15 January 2023 at 02:59

    If you can make a video, explaining the reason for your commands and IP's you have used, It would be much helpful.

    ReplyDelete
    Replies
    1. NB Tech Support17 January 2023 at 06:40

      Thanks for your comment & suggestion. Sure will make note and try to explain the reason of commands in upcoming post. Meanwhile if you have any queries feel free to connect me for online support chat.

      Delete
  5. Anonymous20 June 2023 at 08:11

    I am getting Error .
    - Apache service on APP Server 1 is not reachable from LB host
    FAILED test_stlb01.py::test_stlb01 - AssertionError: - Apache service on App ...

    I applied Steps as mentioned:
    yum install -y iptables-services
    systemctl start iptables
    systemctl enable iptables
    systemctl status iptables

    iptables -A INPUT -p tcp --destination-port 3000 -s 172.16.238.14 -j ACCEPT
    iptables -A INPUT -p tcp --destination-port 3000 -j DROP
    iptables -L --line-numbers
    iptables -R INPUT 5 -p icmp -j REJECT

    service iptables save
    systemctl restart iptables
    systemctl status iptables

    systemctl restart httpd

    ReplyDelete
  6. NB Tech Support1 July 2023 at 08:02

    Please make sure you using the correct port number as per your the task. rest all steps are correct. still if you have problem feel free to connect me online chat support

    ReplyDelete

Latest Posts

KodeKloud Kubernetes Security CKS Lab Challenge 4 | Audit-policy | Install & configure falco utility | Inspect the API server audit logs and identify the user Kubernetes Challenges

KodeKloud Kubernetes Security CKS Lab Challenge 4 | Audit-policy | Install & configure falco utility | Inspect the API server audit logs and identify the user

NB Tech Support June 09, 2024

Question :  There are a number of Kubernetes objects created inside the   omega ,   …