LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   plz give me some firewall(iptables or ipchain) for my dns,web & mail server (http://www.linuxquestions.org/questions/linux-security-4/plz-give-me-some-firewall-iptables-or-ipchain-for-my-dns-web-and-mail-server-736951/)

fadu 07-01-2009 09:12 AM

plz give me some firewall(iptables or ipchain) for my dns,web & mail server
 
i have install in a same IBM SERVER DNS,WEB(Apache),MAIL(Sendmail)in redhat enterprise 3 es but my firewall is very weak can anyone send me some firewall(iptables or ipchain) for my dns,web & mail server?Fahad

nowonmai 07-01-2009 09:37 AM

Hi Fahad... you'll need to provide a little more information.
What network interfaces are there?
Is the box directly internet facing or is there a f/w?
Do you need any shell access configured?
Do you use SSL on your webserver?
Is your DNS internal only?

fadu 07-01-2009 11:21 PM

Quote:

Originally Posted by nowonmai (Post 3593028)
Hi Fahad... you'll need to provide a little more information.
What network interfaces are there?
Is the box directly internet facing or is there a f/w?
Do you need any shell access configured?
Do you use SSL on your webserver?
Is your DNS internal only?

the infomations are:-
1.there is only one interface with isp.
2.there linux biuld in f/w.
3.yes there is shell/ssh access configure.
4.no there is no ssl on web server.
5.there are 2 dsn(primary & secondary)from the isp and also i hav configure NS for web & mail in same IBM server.

nowonmai 07-02-2009 04:16 AM

ok, so you require the following...

SSH access (we will assume open access internally and restrict access to one IP externally)
HTTPD access (no SSL)
Local DNS with forwarding to the specified DNS servers
No Routing
Internal i/face is eth0, external is eth1
POP access only internally

You will need the following rules...

Code:


#flush
IPTABLES -F

#set policies
IPTABLES -P INPUT DROP
IPTABLES -P OUTPUT ACCEPT
IPTABLES -P FORWARD DROP
IPTABLES -A INPUT -i lo -p all -j ACCEPT
IPTABLES -A INPUT -i lo -p all -j ACCEPT

# internal net
IPTABLES -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT
IPTABLES -A INPUT -p tcp --dport 80 -i eth0 -j ACCEPT
IPTABLES -A INPUT -p udp --dport 53 -i eth0 -j ACCEPT
IPTABLES -A INPUT -p tcp --dport 25 -i eth0 -j ACCEPT
IPTABLES -A INPUT -p tcp --dport 110 -i eth0 -j ACCEPT

# external net
IPTABLES -A INPUT -p tcp --dport 22 -s A.B.C.D -i eth1 -j ACCEPT
IPTABLES -A INPUT -p tcp --dport 80 -i eth1 -j ACCEPT
IPTABLES -A INPUT -p tcp --dport 25 -i eth1 -j ACCEPT
IPTABLES -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

IPTABLES -A INPUT -i eth1 -j LOG
IPTABLES -A INPUT -i eth1 -j DROP

That should get you started. You can look into more interesting features like connection tracking also.

A.B.C.D above is the IP of the host that is allowed to ssh to this server from outside. You can change this to CIDR notation if you don't have a fixed IP for this host.

fadu 07-02-2009 08:51 AM

how do i block it with proxy i mean squid....?????
 
thanks for that firewall:cool:

I am running my internet gateway with RedHat 9 and also running Transperent Proxy with squid.but i can't block msn and yahoo messenger...how do i block it with proxy i mean squid....?????

nowonmai 07-02-2009 09:12 AM

I doubt they're going through port 80 anyhow, so you'd be better off just blocking whatever domain they authenticate through in iptables.
Just drop everything with either a source of destination of the particular domain. If you use wireshark on your proxy, you can watch the authentication handshake in progress and take note of the domains.

cam34 07-03-2009 11:44 PM

If i run with nowonmai's script and modify it the way I read it......
-I made the following changes because it sounds like you are running External Facing DNS
-You dont want to spam the logs and create a D.O.S
-You can't have -o lo on the INPUT chain (probably a typo)
-Blocked MSN and AOL (Only if we are the gateway / But we aren't because we havent written any NAT'ing rules, so the last 2 lines are probably useless anyway)
-Set the variable $IPT

Anyway there are a million different ways to do things, this is just two of them.

Code:

IPT=/usr/sbin/iptables
#flush
$IPT -F

#set policies
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -A INPUT -i lo -p all -j ACCEPT
$IPT -A OUTPUT -o lo -p all -j ACCEPT

# internal net
$IPT -A INPUT -i eth0 -p tcp -m multiport --dports 22,25,53,80,110,3128 -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# external net
$IPT -A INPUT -i eth1 -p tcp --dport 22 -s A.B.C.D -i eth1 -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp -m multiport --dports 25,53,80 -j ACCEPT
$IPT -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i eth1 -m limit --limit 20/minute -j LOG
$IPT -A INPUT -i eth1 -j DROP

$IPT -A OUTPUT -i eth1 -p tcp --dport 1863 -j REJECT  #Block MSN Port
$IPT -A OUTPUT -i eth1 -p tcp --dport 5190 -j REJECT  #Block AOL Port



All times are GMT -5. The time now is 02:06 PM.