Develop Reference

How to whitelist IP addresses on Amazon Lightsail

I used Amazon Lightsail to deploy a wordpress site and it worked like a charm. Now I have the need to restrict the IP addresses that can access on port 80 to the ones associated to the Firewall from SiteLock, and I am looking for the best and cleanest solution.
It looks like in Lightsail simplified version of the world, I can only open a port for public access, or close it.
My only idea now is logging in via SSH and use iptables, but I wanted to understand if that's the only way I can do this, or there is something "smarter".

This is what I came out with, that actually works, but uses iptables which I am not sure is the best option, so the question is still open to get a better solution.
Since SiteLock website says these IP ranges are to be allowed in:
SiteLock Firewall IP Ranges
199.83.128.0/21
198.143.32.0/19
149.126.72.0/21
103.28.248.0/22
45.64.64.0/22
185.11.124.0/22
192.230.64.0/18
107.154.0.0/16
2a02:e980::/29
I created a script to allow them all, and then close all the rest with an explicit DROP rule
sudo iptables -A INPUT -p tcp -s 199.83.128.0/21 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 198.143.32.0/19 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 149.126.72.0/21 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 103.28.248.0/22 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 45.64.64.0/22 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 185.11.124.0/22 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 192.230.64.0/18 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 107.154.0.0/16 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 2a02:e980::/29 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 80 -j DROP

now, IPs can be whitelisted from AWS console itself. Go to your Lightsail instance in console, then networking. there you can choose ports to open, and to whitelist IP, check Restrict to IP. then enter whielisted IP or range and save.
reference: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-editing-firewall-rules

add firewall rules using sed in bash

I have to add some firewall rules in my script. The rules must be written in /etc/sysconfig/iptables
I try to use sed for this operation but it doesn't work:
sudo sed -i '/:OS_FIREWALL_ALLOW - [0:0]/a \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 53248 -j ACCEPT \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 50825 -j ACCEPT \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 20048 -j ACCEPT \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT' /etc/sysconfig/iptables
I try to add the rules after the line :OS_FIREWALL_ALLOW - [0:0] which is in the /etc/sysconfig/iptables
There is happening anything. The iptables-file has the same content as before. The new lines aren't added.
What am I doing wrong?
Content of iptables (before and after the executing sed-command)
...
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:OS_FIREWALL_ALLOW - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
...
Expected output:
...
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:OS_FIREWALL_ALLOW - [0:0]
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 53248 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 53248 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 53248 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 53248 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
...

You have to change this line,
/:OS_FIREWALL_ALLOW - [0:0]/a
to
/:OS_FIREWALL_ALLOW - \[0:0\]/a
In a regular expression, square brackets are used to indicate character classes, which matches any of the characters in the character set.
Valid command is:
sudo sed -i '/:OS_FIREWALL_ALLOW - \[0:0\]/a \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 53248 -j ACCEPT \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 50825 -j ACCEPT \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 20048 -j ACCEPT \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT' /etc/sysconfig/iptables
EDIT 2:
If your sed supports r command (read from filename), you can save the iptables rules to add_rules.txt. Then you can add it to existing rules.
sed -i '/:OS_FIREWALL_ALLOW - \[0:0\]/r add_rules.txt' /etc/sysconfig/iptables

Optimizing firewall rules processing

I'm using fail2ban to block failed login attempts on my server. The block is performed using IP tables with the following configuration:
actionstart = iptables -N fail2ban
iptables -A fail2ban -j RETURN
iptables -I <chain> -p tcp -m multiport --dports <port> -j fail2ban
actionstop = iptables -D <chain> -p tcp -m multiport --dports <port> -j fail2ban
iptables -F fail2ban
iptables -X fail2ban
actionban = iptables -I fail2ban 1 -s <ip> -j DROP
actionunban = iptables -D fail2ban -s <ip> -j DROP
What I'm concerned about is rules processing performance. The above rules are in stateful mode and I've been wondering if stateless mode would make the processing faster. To make things clear, I'm blocking the intruder IP address on a TCP port (e.g., 22 or 25).
I read somewhere that for TCP connection specialy, adding the ESTABLISHED,RELATED states would be better. But since each IP refers to a different connection, does it make sense to apply these states?
UPDATE:
Here is a sample iptables -L:
Chain INPUT (policy ACCEPT 399 packets, 36043 bytes)
pkts bytes target prot opt in out source destination
39 4230 fail2ban tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,25,80,99,100,101
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 282 packets, 39686 bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 192.168.0.1 0.0.0.0/0
0 0 DROP all -- * * 192.168.0.2 0.0.0.0/0
0 0 DROP all -- * * 192.168.0.3 0.0.0.0/0
0 0 DROP all -- * * 192.168.0.4 0.0.0.0/0
39 4230 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Despite what many performance apologists claim, IPtables CAN have significant overhead, but it won't be noticeable until you get some substantial traffic. Now how you do the tables, and which extensions you call, will be determining factor on CPU overhead per packet.
As for stateless vs statefull, yes the performance difference can be immense, but again it's at a very high throughput. In addition as you may have read, it is much more complexity to manage a stateless firewall. It should really only be done if the IPtable impact is measurable.
BUT good practice should always be followed, and IMO that includes the least amount of overhead without adding lots of complexity.
Now as for your situation, fail2ban is only considering a segment of your iptables overall, but the only thing that I would recommend looking at preventively is this part.
-p tcp -m multiport --dports
Using the multiport extension does have more overhead, except when doing so would make a solid reduction of rules. Since you are only doing 2, I would list them separately, to avoid the multiport extension... or better yet just one by range, if you don't care about blocking 23 and 24.
-p tcp -m tcp --dport 22:25
As for established tracking, yes you can use it with fail2ban, although it does have some considerations. To get the most impact, you'd want to place fail2ban chain below ESTABLISHED,RELATED. However this will allow already established connections, considering you'd need an already authenticated user, it seems reasonable enough.
This is a mini example of the tables I use for my servers, with some example rules, I commented it for you,
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
## Stateless on Loopback
## Remove everything before #filter if iptables chokes on #raw
-A OUTPUT -o lo -j NOTRACK
COMMIT
*filter
## Default Chains
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
## Proto Chains
:FWINPUT-TCP - [0:0]
:FWINPUT-UDP - [0:0]
:FWINPUT-ICMP - [0:0]
## FAIL2BAN Chain
:fail2ban - [0:0]
## Accept Established
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
## Accept Loopback
-A INPUT -i lo -j ACCEPT
## Seperate Proto
-A INPUT -p tcp -g FWINPUT-TCP
-A INPUT -p udp -g FWINPUT-UDP
-A INPUT -p icmp -g FWINPUT-ICMP
## Reject Anything Non-TCP/UDP/ICMP
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
## TCP Rules
-A FWINPUT-TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A FWINPUT-TCP -p tcp -m tcp --dport 443 -j ACCEPT
## fail2ban Check
-A FWINPUT-TCP -p tcp -m tcp --dport 22:25 -g fail2ban
## fail2ban Return
-A FWINPUT-TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A FWINPUT-TCP -p tcp -m tcp --dport 25 -j ACCEPT
## TCP-Reset Ident
-A FWINPUT-TCP -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
## Reject Any Other TCP Traffic
-A FWINPUT-TCP -j REJECT --reject-with icmp-port-unreachable
## UDP Rules
-A FWINPUT-UDP -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
## Reject Any Other UDP Traffic
-A FWINPUT-UDP -j REJECT --reject-with icmp-port-unreachable
## ICMP Rules
-A FWINPUT-ICMP -p icmp -m icmp --icmp-type 8 -m limit --limit 5/s -j ACCEPT
-A FWINPUT-ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A FWINPUT-ICMP -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A FWINPUT-ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FWINPUT-ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT
## Reject Any Other ICMP Types
-A FWINPUT-ICMP -j REJECT --reject-with icmp-host-prohibited
## fail2ban Inserted Rules
-A fail2ban -j RETURN
COMMIT
I would just blank out the action start and action stop, and let fail2ban just add the blocked IP rules when running. This would a pinch more manual considerations, like if you wanted to start using fail2ban to block more stuff... but if it's a set type of thing your trying to work on, then it shouldn't be a problem.
... On my home system, and not on servers, I usually just set an iptables limit and call it good enough.

Gitlab pushing via https doesnt succed because of iptables

I installed the Gitlab-Omnibus bundle and opened iptables for port 80, 443, 9418 and temp. even for 22. Why doesn't pushing via https work? When I put iptables in default open for everything it works.
Here are my rules for 80, 443, 22 and 9418
# 1. Allow incoming HTTP
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 80 -j ACCEPT
# 2. Allow outgoing HTTP
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT
# Allow incoming HTTPS
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 443 -j ACCEPT
# 10. Allow outgoing HTTPS
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT
# allow git
$IPTABLES -A OUTPUT -p tcp --dport 9418 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 9418 -j ACCEPT
#SSH: Client --> Server
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 22 -j ACCEPT
The Result is:
Pushing to https://TLD/USER/REPO.git
POST git-receive-pack (448 bytes)
And then it just freezes. What do I need to open else?
I tried logging dropped packages but there is nothing with my ip?
I hope someone can help me..
Ok here are the rules for my logging:
#Logging
$IPTABLES -N LOGGING
$IPTABLES -A INPUT -j LOGGING
$IPTABLES -A OUTPUT -j LOGGING
$IPTABLES -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IPTABLES -A LOGGING -j DROP
And here is the output:
# Generated by iptables-save v1.4.21 on Thu Nov 13 18:43:13 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOGGING - [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -s 10.20.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 37655 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 9418 -j ACCEPT
-A INPUT -j LOGGING
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -d 10.20.0.0/16 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 37655 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 9418 -j ACCEPT
-A OUTPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
COMMIT

#Devices
DEV0=eth0
#internal network
INT_NET=xxx.xxx.0.0/16
INT_NET_SECURE=xxx.xxx.xxx.0/24
#external network
EXT_NET=xxx.xxx.xxx.0/24
#path iptables
IPTABLES=/sbin/iptables
#path modprobe
MODPROBE=/sbin/modprobe
case $1 in
start)
$0 stop
echo "start ip-package-filter"
# iptables-Modul
$MODPROBE ip_tables
# Connection-Tracking-Module
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE iptable_nat
#Standard-Policy - Deny everything except what we want
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#slows down icmp for too much packages
echo "5" >/proc/sys/net/ipv4/icmp_ratelimit
#Kills packages with source route option
echo "0">/proc/sys/net/ipv4/conf/$DEV0/accept_source_route
#Kills icmp forwarding
echo "0">/proc/sys/net/ipv4/conf/$DEV0/accept_redirects
#Kills spoofed packages
echo "1" > /proc/sys/net/ipv4/conf/$DEV0/rp_filter
#Kills packages from 0.X.X.X
echo "0" > /proc/sys/net/ipv4/conf/eth0/bootp_relay
# TCP-FIN-Timeout (DoS-Attack)
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
#TCP-SYN max 3 answers
echo 3 > /proc/sys/net/ipv4/tcp_retries1
#TCP-Package max 15x repetitions
echo 15 > /proc/sys/net/ipv4/tcp_retries2
#Loopback-Communication
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
#ICMP: Client <--> Server
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
#DNS: Server --> DNS-Server
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
# Allow incoming HTTP
$IPTABLES -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# Allow incoming HTTPS
$IPTABLES -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
#SSH: Client --> Server (internal)
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 22 -m state --state NEW -j ACCEPT
#SSH: Client --> Server
#$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp --sport 22 -j ACCEPT
#Update (apt)
$IPTABLES -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
#TeamDrive
$IPTABLES -A INPUT -p tcp --dport 37655 -m state --state NEW -j ACCEPT
#Git
$IPTABLES -A INPUT -p tcp --dport 9418 -m state --state NEW -j ACCEPT
#Connection-Tracking for INPUT and OUTPUT CHAIN
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Logging
$IPTABLES -N LOGGING
$IPTABLES -A INPUT -j LOGGING
$IPTABLES -A OUTPUT -j LOGGING
$IPTABLES -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IPTABLES -A LOGGING -j DROP
echo "Firewall activated"
;;
stop)
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
;;
restart)
$0 start
;;
*)
echo "Usage: $0 {startwd|stop|restart}"
;;
esac

How can I get repositories domains from a composer.json to setup iptables?

I want to list all the domains that my composer.json will use to download dependencies of my project in order to list them in my iptable config. Is there a way to do this ?
This is the part of my iptable config I want to complete with that list :
HTTPS_SERVERS=(packagist.org api.github.com github.com getcomposer.org us3.api.mailchimp.com mandrillapp.com)
for i in `seq 0 $((${#HTTPS_SERVERS[*]} -1))`
do
server=${HTTPS_SERVERS[i]}
$IPT -A me_bad -p tcp -d $server --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A bad_me -p tcp -s $server --sport 443 -m state --state ESTABLISHED -j ACCEPT
done
Many thanks.