Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
The simplest way is:
# Accept SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Accept http
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# do the above for each port you want to allow.
# Allow establised and related conenctions
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Disallow everything else
iptables -P INPUT DROP
iptables -P OUTPUT DROP
Thanks could you possible just tell me what my current iptable means?? I do not want to remove anthing if it is needed since some of it might have been setup by cpanel. I have change the actual host to host.com, not cause i don't trust you just i don't want to display my holes all over the net
your best bet is to create a SSH script and have it do all the rules for you
I have attached an example script that allows ALL connections OUT and none IN
but this is also used as gateway so you may want to modify some of the MASQUERADE options etc
# IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Other Definitions
# You may want to add in your http server if its on a seperate box
# and follow the examples below to configure the firewall to FWD to it
# Test Machine Definitions
# Clear out any existing firewall rules, and any chains that might have
# been created.
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
# Set Default Rules
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
# silent - Just dop the packet
# tcpflags - Log packets with bad flags, most likely an attack
# firewalled - Log packets that that we refuse, possibly from an attack
$IPTABLES -N silent
$IPTABLES -A silent -j DROP
$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPTABLES -A tcpflags -j DROP
$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPTABLES -A firewalled -j DROP
# Use below to enable MASQUERADE eth1
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
# Allow selected ICMP types and drop the rest.
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled
# The loopback interface is inheritly trustworthy
$IPTABLES -A INPUT -i lo -j ACCEPT
# Inside Machine are trustworthy
$IPTABLES -A INPUT -i $INSIDE -d $INT_IP -j ACCEPT
# Port forwarding.
# Redirect Traffic for Port 80 to Squid Proxy Server:3128
$IPTABLES -t nat -A PREROUTING -i $INSIDE -p tcp --dport 80 -j REDIRECT --to-port 3128
# Redirect External & Internal HTTP on 8080 to Local PC
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTP -d $EXT_IP -j DNAT --to $TEST_PC:$TEST_HTTP
#$IPTABLES -t nat -A PREROUTING -i $INSIDE -p tcp -m tcp --dport $TEST_HTTP -d $EXT_IP -j DNAT --to $TEST_PC:$TEST_HTTP
# Redirect External & Internal SSH on 8081 to Local PC
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTPS -j DNAT --to $TEST_PC:$TEST_HTTPS
#$IPTABLES -t nat -A PREROUTING -i $INSIDE -p tcp -m tcp --dport $TEST_HTTPS -j DNAT --to $TEST_PC:$TEST_HTTPS
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Anything that hasn't already matched gets logged and then dropped.
$IPTABLES -A INPUT -j firewalled
I will try to make a script for it. I think I have enough infomation to start.
But just to clarify. All the host.com that I showed in my iptables are the actual host of the machine itself. I actaully see that I did not remove them all. So I think the iptables basically say, if its from anywhere to my server allow it and if its from my server to anywhere allow it.
Thanks for all the help.
I got it all to work with out any problems
I just have to review which ports I really need. For now I left open all the ones that were listening but I want to see if I really need them all, I just don't want anything to stop working and for that to be the reason.