SPI Firewall for Debian- and Ubuntu-VPS

Rackhansa’s hardware nodes implement the upstream SPI firewalls (Stateful Packet Inspection) for hosted virtual server; IPv6 protocol is supported by dual-stack operation. Known attacks by ICMP protocols and DoS attacks (Denial of Service) are droped by the physical server, so this kind of bad/mal data packets do not reach the VPS.
The advantages are quite clear:

  • Rackhansa customers have less work because of a clear and simple firewall.
  • Upon notification of a new network attack Rackhansa implements the defense center on the hardware node to protect all VPS as fast as possible.

Because Debian and Ubuntu do not enable the firewall by default, these templates get to the directory /etc/network/if-up.d two additional scripts from Rackhansa: firewall-ipv4 and firewall-ipv6 (they are running as soon as the network interface is active).
In these scripts, there are two important variables; this following port numbers are released at booting:
TCP_PORTS="22 80 443"
UDP_PORTS=""

The TCP ports 22, 80 and 443 (ssh, http and https) are enabled by default.
In order to allow additional network services please modify these variables with the appropriate port number (see /etc/services). These scripts can be executed manually, so a reboot is not required.

IPV4-Firewall

We would like to take this opportunity to mention once again that the subsequently presented minimum firewall only offers enough protection for your server when an upstream firewall has filtered all the mal data packets.
With the following command:

 iptables -L -n -v

the active firewall rule is shown (You should definitely check your firewall, especially when a rule has been changed or added):

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  707 68591 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   18  1040 ACCEPT     tcp  --  venet0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  venet0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  venet0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
   25  1198 REJECT     all  --  venet0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 697 packets, 89539 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT:
Policy DROP means that data packets are not allowed to pass through unless any rule applies.

  • Line with state RELATED,ESTABLISHED:
    All data packets to an existing network connection are allowed to pass through. Exactly this rule makes a firewall to an SPI firewall (Stateful Packet Inspection), so the kernel performs a table about which network connection there is between two endpoints.
  • Line with “ACCEPT all — lo”: Internal communication – connections to and from the loopback interface (localhost or 127.0.0.1) are allowed.
  • Lines with”ACCEPT tcp — venet0″: Here, the ports 22, 80 and 443 are enabled for incoming connections from the Internet cloud. Port 22 has to be enabled, otherwise You can not log into your server with ssh.
  • Line with”ACCEPT icmp”:
    With that the ping data packets pass through.You can check from your office if your server is reachable.
  • Line with”reject-with icmp-port-unreachable”: Your server sends back a polite reply that the connection has not been accepted.

Chain FORWARD: Everything is fine, your server is not a router.
Chain Output with policy ACCEPT means that your server may establish network connections to the outside.

IPv6 firewall

With the following command:

ip6tables -n -L -v

the active IPV6-Fireall is displayed:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 state RELATED,ESTABLISHED
    0     0 ACCEPT     all      lo     *       ::/0                 ::/0                
    0     0 ACCEPT     tcp      venet0 *       ::/0                 ::/0                 tcp dpt:22
    0     0 ACCEPT     tcp      venet0 *       ::/0                 ::/0                 tcp dpt:80
    0     0 ACCEPT     tcp      venet0 *       ::/0                 ::/0                 tcp dpt:443
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0    

Except for the last rule, all rules are the same as IPv4.
The last rule with “ACCEPT ICMPv6 * *” is necessary! IPv6 protocol works only if your server responds to specific routing data packets, which are sent via ICMPv6. As mentioned above, the upstream Rackhansa Firewall filters the known mal packets and only forwards Ping and necessary routing information to your server.