LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Noob Admin, security concerns (http://www.linuxquestions.org/questions/linux-security-4/noob-admin-security-concerns-504594/)

Linuxfrog 11-24-2006 05:55 PM
Noob Admin, security concerns
 
I have been getting a little frustrated with trying to setup iptables firewall rules for my new webserver. I am new at this and basically need only a few services accessible, this is a public webserver that is going to be pounded on alot, I am working through ssh only so I have been looking for a script. A few of my challenges are this, I am running multiple sites as I am hosting, I need ssh, ftp, mail, and http - https services available. The thing is I have read through iptables setups, but I am used to hardware firewall, so the difference is alot haha. I see alot of scripts online for office firewalls but havent found much for webservers. If you guys have any suggestions besides google LoL I would be much appreciative, Thanks, Frog

hob 11-24-2006 06:21 PM
IPTables has a lot of options, but you can ignore most of them. Feeding this in with iptables-restore provides a basic configuration with SSH, HTTP and HTTPS access, and you can add ports just by specifying extra lines for the relevant port numbers:

*filter
# Set the default policies: ACCEPT outbound connections, and DROP all others
:INPUT DROP [3342:147048]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [526:34970]
# Accept anything from the loopback interface
-A INPUT -i lo -j ACCEPT
# Accept responses to connections that this system initiated
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Accept pings
-A INPUT -i eth0 -p icmp -j ACCEPT
# Accept SSH connections
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
# Accept HTTP connections
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
# Accept HTTPS connections
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT

Linuxfrog 11-25-2006 09:25 PM
Thanks
 
I appreciate the info , however is the a configuration setup for a .conf file, or commands I enter in to bash?

hob 11-26-2006 03:23 AM
Put your firewall rules in a text file (e.g. /etc/network/firewall-rules), and use the iptables-restore utility to load the rules in:

iptables-restore < /etc/network/firewall-rules

On Debian I automate loading the firewall by adding this script to the directory /etc/network/if-pre-up.d/:

#!/bin/bash -e

### ** Enable IPv4 Firewall **
###
### Borrowed from "The Debian System" by Martin Krafft
###
### Important: iptables only filters IPv4 traffic
### Important: To filter IPv6 traffic , use ip6tables

# Exit if the interface is loopback
[[$IFACE=lo]] || exit 0

# Input the rules from the file /etc/network/firewall-rules
exec iptables-restore < /etc/network/firewall-rules

# End of script

Hope that helps.

hob 11-26-2006 03:29 AM
If you are using Sarge you may need to replace the "conntrack" rule on the example that I posted with this line:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

(Sarge uses a 2.4 kernel, rather than the standard 2.6).


All times are GMT -5. The time now is 01:21 AM.