iptables for dedicated www server (one nic)
I'm building up from a clean install and was wondering if the rules listed below are secure for a dedicated web server (only one nic). First time and just wanted to confirm...
// DROP everything by policy iptables -p INPUT DROP iptables -p OUTPUT DROP iptables -p FORWARD DROP // ACCEPT all internal traffic on loopback iptables -A OUTPUT -j ACCEPT -o lo iptables -A INPUT -j ACCEPT -i lo // ACCEPT HTTP iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp -dport 80 -j ACCEPT // ACCEPT HTTPS iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp -dport 443 -j ACCEPT // ACCEPT SSH iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p udp --sport 22 -j ACCEPT I also see a future need for FTP, but I've read that it is not a good idea. Any input on that subject as well would be appreciated. |
Personally:
iptables -P INPUT DROP iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -P FORWARD DROP iptables -A INPUT -i lo -j ACCEPT But if you like your way better... Also, just of note, on your drops that you have up front, those need to be cap P, not lower case. |
ridertech:
Do you need outbound ssh/http/https? Otherwise you could skip that as well. As a replacement for ftp I suggest you use sftp which is included in the ssh suite. Although this will not work if you're planning on setting up an anonymous ftp server (which is usually a bad on any server running anything but just the ftp daemon) I've seen a php script called Jabba's PHP Traverser, which gives read access via a web interface, to directories of your choice. I have no idea if this is a secure solution, but it might be a good idea to check it out if only read access is required... |
In addition, you may want to filter your incoming SSH connections to just the sites that you will be connecting from. Right now anyone with a client can make an attempt to login.
|
Thanks, I started over with a completely open firewall, then added the following...
iptables -P INPUT DROP iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -s 888.888.888.888 -j ACCEPT iptables -P FORWARD DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -o lo -j ACCEPT What do I need to add to be able to use apt-get? It currently just hangs when trying to connect. |
Also, I've been seeing examples of scripts that setup the firewall upon boot, rather than entering these rules in line by line. Assuming that the syntax is the same, where do I put the file and how does the script get run? What happens if the script is not found for some reason, will the firewall be completely open?
|
Here's a link to an old iptables I had setup.
I never liked the initial config file for iptables, was always hard to read, so I created this. I have it residing in my /etc/init.d, it's called iptables, that way I didn't have to create any link to actually start it up. Otherwise you'll have to make a link like per normal startup script. Anyway, if you have any questions about it, let me know. |
you can just make a script and have all your lines of iptables in it, and then just add a refernce to your script in your rc.local . Personnaly i like doing it this way, because it gets run last. And you know exactly whats been loaded and when.
|
All times are GMT -5. The time now is 07:22 PM. |