Centos – Google Computer Engine Firewall and IpTables

centosgooglegoogle-compute-engineiptablessyn

I am very new to to server administration and just discovered that I can use Google Compute Engine to host my website similar to way it works with Linode or Digital Ocean. I am unsure on the following questions related firewall set-up with Google Compute Engine:

1) I see that Google Compute Engine comes with a firewall setting we can use for each instance. So in this case, does it mean I dont need to open and close ports in iptable as well when I set up a CentOs with Nginx web server on GCE?

2) If Google compute engine does the same job as iptables, then do I need to setup any special firewall rules for Blocking Null packets, Reject Syn-Flood Attack, Reject XMAS Packets, etc.. to GCE Firewall or is that not needed?

Best Answer

GCE firewall works at project level and IPtables works at OS level. For an instance to see an incoming connection both firewalls must allow it.

GCE firewall blocks all incoming traffic to the instances by default unless explicitly allowed by a firewall rule. Rules allow incoming traffic from an IP range, a list of protocols (ICMP, TCP and UDP) and a list of ports, and they can be restricted to some instances by using tags.
GCE firewall is not as flexible as IPtables and it is not suitable for this. Instead, GCE firewall focus on 90% use cases a firewall has: Avoid unauthorized incoming connections to your instances.

Have a look here for a quick introduction and here for all the possibilities you have with GCE firewall rules.

Related Solutions

Iptables syn flood countermeasure

Found it! The problem came from both the SYN flood countermeasure, which dropped the authorized streams instead of accepting them, and from the SSH bruteforce countermeasure, which was after the SYN flood countermeasure, so it did not drop any supernumerary incoming connexion as these connections were already accepted by the SYN flood countermeasure.

Here comes the good version of this script :

#!/bin/sh
IPT=/sbin/iptables

echo "Clearing firewall rules"
$IPT -F
$IPT -Z
$IPT -t nat -F
$IPT -t nat -Z
$IPT -t mangle -F
$IPT -t mangle -Z
$IPT -X

echo "Defining logging policy for dropped packets"
$IPT -N LOGDROP 
$IPT -A LOGDROP -j LOG -m limit --limit 60/min --log-level debug --log-prefix "iptables rejected: "
$IPT -A LOGDROP -j DROP 

echo "Setting firewall policy"
$IPT -P INPUT   ACCEPT
$IPT -P OUTPUT  ACCEPT
$IPT -P FORWARD ACCEPT

echo "Allowing connections from/to lo"
$IPT -I INPUT -i lo    -j ACCEPT
$IPT -I OUTPUT -o lo   -j ACCEPT

echo "Denying web server user outgoing HTTP connections on eth0"
$IPT -A OUTPUT -p tcp --dport 80 -o eth0 -m owner --uid-owner www-data -j LOGDROP
$IPT -A OUTPUT -p udp --dport 80 -o eth0 -m owner --uid-owner www-data -j LOGDROP

echo "Denying more than 3 SSH connection attempts per minute and per IP"
$IPT -A INPUT -p tcp --dport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOGDROP

echo "Setting SYN flood countermeasures"
$IPT -A INPUT -p tcp -i eth0 --syn -m limit --limit 30/s --limit-burst 200 -j ACCEPT
$IPT -A INPUT -p tcp -i eth0 --syn -j LOGDROP

echo "Denying 'w00tw00t' vulnerability scans"
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m string --algo bm --string 'w00tw00t.at.ISC.SANS.' -j LOGDROP

echo "Denying HTTP requests concerning misconfigured anoticiapb.com.br external domain"
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m string --algo bm --string "Host: anoticiapb.com.br" -j LOGDROP
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m string --algo bm --string "Host: www.anoticiapb.com.br" -j LOGDROP

echo "Allowing outgoing traffic corresponding to already initiated connections"
$IPT -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Allowing up to 10 ICMP requests per second, dropping any supernumerary ICMP request"
$IPT -A INPUT -p icmp -m limit --limit 10/second -j ACCEPT
$IPT -A INPUT -p icmp -j LOGDROP

echo "Allowing incoming HTTP(S), SMTP, NTP, PgSQL, SolR"
$IPT -A INPUT -p tcp --dport 25   -i eth0                -j ACCEPT
$IPT -A INPUT -p tcp --dport 80   -i eth0                -j ACCEPT
$IPT -A INPUT -p udp --dport 123  -i eth0                -j ACCEPT
$IPT -A INPUT -p tcp --dport 443  -i eth0                -j ACCEPT
$IPT -A INPUT -p tcp --sport 5433 -i eth0.2654 -s 172.16.0.1 -j ACCEPT
$IPT -A INPUT -p tcp --sport 8983 -i eth0.2654 -s 172.16.0.1 -j ACCEPT

echo "Allowing outgoing SSH, SMTP, whois, DNS, HTTP, SolR, PgSQL, ICMP"
$IPT -A OUTPUT -p tcp --dport 22                         -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 25   -o eth0               -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 43   -o eth0           -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 53   -o eth0               -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53   -o eth0               -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 80   -o eth0               -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 443  -o eth0               -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 5433 -o eth0.2654      -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 8983 -o eth0.2654      -j ACCEPT
$IPT -A OUTPUT -p icmp                   -j ACCEPT

echo "Allowing outgoing FTP backup"
$IPT -A OUTPUT -p tcp --dport 20:21 -o eth0 -d 91.121.190.18 -j ACCEPT

echo "Dropping and logging everything else"
$IPT -A INPUT -j LOGDROP 
$IPT -A OUTPUT -j LOGDROP
$IPT -A FORWARD -j LOGDROP

echo "Firewall loaded."

OpenVPN – Setup VPN Server on Google Compute Engine

You can solve the issue of not being able to browse the web through the VPN despite being able to ping, traceroute... by one of the two following ways:

First, you can use TCP protocol instead of UDP, by changing 'proto udp' to 'proto tcp' in both client and server conf files.

Second, you can use tap device instead of tun, by changing 'dev tun' to 'dev tap' in both client and server conf files.

Not sure what the issue is though, it seems it's a problem from Google's end.

Best Answer

Related Solutions

Iptables syn flood countermeasure

OpenVPN – Setup VPN Server on Google Compute Engine

Related Topic