Secure Linux Servers Using IPTables Rules and WonderShaper

Thursday, March 28th, 2013

Secure your Ubuntu Server from Flood and Other Attacks Using IPTables and WonderShaper

The following commands use IPTables to prevent common flooding and other miscellaneous malicious attacks. These commands can prevent a Linux server from lagging and spending resources on malformed packets.  Some of these attacks can cause DDoS attacks, so it is best to use these filters and rules.  Use at your own risk. A detailed explanation can be found here.

# Explanations here:
# http://www.cyberciti.biz/tips/linux-iptables-10-how-to-block-common-attack.html
sudo apt-get install iptables
sudo iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
sudo iptables -A INPUT -f -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

If you want to drop ICMP ping requests, click here.

Limiting Download and Upload Speeds / Traffic Globally in Ubuntu

Limiting download and upload speeds globally does not make a server any more secure than before.  However, it can aleviate network lag, which in my opinion ensures availability enhancing security.  In Ubuntu, it's easy to limit the max download and upload speed that can be used on an interface.  It wasn't always this easy, but thanks to a tool called wondershaper, you don't have to worry about any of the complexities.  To install, run the following command:

sudo apt-get install wondershaper  

Now, we need to tell wondershaper to start limiting our max download and upload rate on our particular interface. To see a list of interfaces, type the following command:

ifconfig

To determine what your max download and max upload speed should be, use SpeedTest to run a couple of bandwidth tests using your connection.  With your results, convert the speeds from mbps to kilobits per second.  Use this bandwidth calculator / converter to help you out.  Then, I'd subtract 20-30% of each value, as you want to leave some room between your max speed so that bandwith will still be available to other computers / nodes on the network.

Once you have your speeds, start wondershaper (modifying the example below to fit your needs):

# wondershaper [interface] [max_download_speed_kilobits] [max_upload_speed_kilobits]
sudo wondershaper eth0 8192 2764

Make a backup of the /etc/network/interfaces file:

sudo cp /etc/network/interfaces /etc/network/interfaces.bakup
sudo nano /etc/network/interfaces

To run wondershaper upon boot or startup, edit the /etc/network/interfaces file, and add the following (modify to fit your needs if neccessary):

auto lo
iface lo inet loopback
up /sbin/wondershaper eth0 8192 2764
down /sbin/wondershaper clear eth0

Make sure you change your max download and upload speed in both of the examples.  Settings will now apply when the computer boots into Linux.

Exclude LAN from Speed Limits

WonderShaper does not differentiate between LAN traffic and external traffic by default.  To prevent WonderShaper from limiting LAN network download and upload speeds, install this updated WonderShaper script:

cd ~/Downloads
wget -O wondershaper_exclude_lan.tar.gz www.dinofly.com/files/wondershaper_exclude_lan.tar.gz
tar xzvf wondershaper_exclude_lan.tar.gz
sudo cp -f wondershaper /sbin/wondershaper
sudo chmod +x /sbin/wondershaper
sudo nano /sbin/wondershaper

Find:

#Local Network
LAN_SUBNET=192.168.0.0

Change it to your LAN's main IP address.  For example, if your LAN gateway is 192.168.1.X, change it to:

#Local Network
LAN_SUBNET=192.168.1.0

Another example, if your LAN gateway is 192.168.43.X, change it to:

#Local Network
LAN_SUBNET=192.168.43.0

Save the file and reboot.

Your local area network (LAN) traffic is not filtered, but external traffic is!  Enjoy lag free connections from both the outside and inside while running any type of web server.