DevOpsTutorials

Securing small IT setup with VPN 2

In the first part of this post I showed you how to setup a VPN server and limit access to websites in Nginx only to users behind VPN server. While this approach works, we can still go one step deeper and secure our server on a lower layer. Today I will show you how to secure our Application Server using IPTables.

To put it short, IPTables is a program that filters network packets. You can call it a firewall if you want. It allows you to setup chains of rules which are applied to network packets. Rules can drop allow, forward or drop packages. IP tables is the first match system so be sure to first add allow rules and then deny rules.

What we would like to do is to limit all connections on ports 80 (basic HTTP port) and 443 (HTTPS port). We only want to allow connections from users inside the Virtual Private Network (VPN) that we created before. If we setup our VPN Clients to redirect all traffic through the VPN server, then they will all have the same IP address outside. It means that we call only allow network packets from this IP address and block everything else. To be extra secure, we can actually block all ports from internet traffic.

First, let’s start with allowing ssh port. We don’t want to accidentally lose connectivity to our server. Be default ssh is running on port 22 so let’s allow incoming connections to this port.

iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Now, we will add rules to allow incoming connections on ports 80 and 443 from our VPN. $IP_ADDRESS is the ip address of the VPN server which we did setup in previous post.

iptables -A INPUT -s $IP_ADDRESS -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s $IP_ADDRESS -p tcp --dport 443 -j ACCEPT

Lastly we can block all other incoming connections:

iptables -A INPUT -j DROP

Now we have to save our new firewall rules. If you are on Ubuntu, you can save it to a file:

iptables-save > /etc/iptables.rules

And that’s it. We have an Application Server which is only accepting connection from clients in Virtual Private Network. In this way, you can secure and separate your test applications from unwanted internet access while still being able to use them in your company. In terms of money, this setup is really cheap and can be achieved for not more than 100$ per year. However, if your business grows, you should think of using some tested, enterprise scale solutions.