LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-01-2009, 09:12 AM   #1
fadu
LQ Newbie
 
Registered: Oct 2008
Location: Dhaka,Bangladesh
Posts: 7

Rep: Reputation: 0
plz give me some firewall(iptables or ipchain) for my dns,web & mail server


i have install in a same IBM SERVER DNS,WEB(Apache),MAIL(Sendmail)in redhat enterprise 3 es but my firewall is very weak can anyone send me some firewall(iptables or ipchain) for my dns,web & mail server?Fahad

Last edited by fadu; 07-01-2009 at 09:36 AM.
 
Old 07-01-2009, 09:37 AM   #2
nowonmai
Member
 
Registered: Jun 2003
Posts: 481

Rep: Reputation: 48
Hi Fahad... you'll need to provide a little more information.
What network interfaces are there?
Is the box directly internet facing or is there a f/w?
Do you need any shell access configured?
Do you use SSL on your webserver?
Is your DNS internal only?
 
Old 07-01-2009, 11:21 PM   #3
fadu
LQ Newbie
 
Registered: Oct 2008
Location: Dhaka,Bangladesh
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by nowonmai View Post
Hi Fahad... you'll need to provide a little more information.
What network interfaces are there?
Is the box directly internet facing or is there a f/w?
Do you need any shell access configured?
Do you use SSL on your webserver?
Is your DNS internal only?
the infomations are:-
1.there is only one interface with isp.
2.there linux biuld in f/w.
3.yes there is shell/ssh access configure.
4.no there is no ssl on web server.
5.there are 2 dsn(primary & secondary)from the isp and also i hav configure NS for web & mail in same IBM server.
 
Old 07-02-2009, 04:16 AM   #4
nowonmai
Member
 
Registered: Jun 2003
Posts: 481

Rep: Reputation: 48
ok, so you require the following...

SSH access (we will assume open access internally and restrict access to one IP externally)
HTTPD access (no SSL)
Local DNS with forwarding to the specified DNS servers
No Routing
Internal i/face is eth0, external is eth1
POP access only internally

You will need the following rules...

Code:
#flush
IPTABLES -F

#set policies
IPTABLES -P INPUT DROP
IPTABLES -P OUTPUT ACCEPT
IPTABLES -P FORWARD DROP
IPTABLES -A INPUT -i lo -p all -j ACCEPT
IPTABLES -A INPUT -i lo -p all -j ACCEPT

# internal net
IPTABLES -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT
IPTABLES -A INPUT -p tcp --dport 80 -i eth0 -j ACCEPT
IPTABLES -A INPUT -p udp --dport 53 -i eth0 -j ACCEPT
IPTABLES -A INPUT -p tcp --dport 25 -i eth0 -j ACCEPT
IPTABLES -A INPUT -p tcp --dport 110 -i eth0 -j ACCEPT

# external net
IPTABLES -A INPUT -p tcp --dport 22 -s A.B.C.D -i eth1 -j ACCEPT
IPTABLES -A INPUT -p tcp --dport 80 -i eth1 -j ACCEPT
IPTABLES -A INPUT -p tcp --dport 25 -i eth1 -j ACCEPT
IPTABLES -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

IPTABLES -A INPUT -i eth1 -j LOG
IPTABLES -A INPUT -i eth1 -j DROP
That should get you started. You can look into more interesting features like connection tracking also.

A.B.C.D above is the IP of the host that is allowed to ssh to this server from outside. You can change this to CIDR notation if you don't have a fixed IP for this host.

Last edited by nowonmai; 07-02-2009 at 04:19 AM.
 
Old 07-02-2009, 08:51 AM   #5
fadu
LQ Newbie
 
Registered: Oct 2008
Location: Dhaka,Bangladesh
Posts: 7

Original Poster
Rep: Reputation: 0
Talking how do i block it with proxy i mean squid....?????

thanks for that firewall

I am running my internet gateway with RedHat 9 and also running Transperent Proxy with squid.but i can't block msn and yahoo messenger...how do i block it with proxy i mean squid....?????
 
Old 07-02-2009, 09:12 AM   #6
nowonmai
Member
 
Registered: Jun 2003
Posts: 481

Rep: Reputation: 48
I doubt they're going through port 80 anyhow, so you'd be better off just blocking whatever domain they authenticate through in iptables.
Just drop everything with either a source of destination of the particular domain. If you use wireshark on your proxy, you can watch the authentication handshake in progress and take note of the domains.
 
Old 07-03-2009, 11:44 PM   #7
cam34
Member
 
Registered: Aug 2003
Distribution: OpenSuse 11.1, SLES10, Fedora 11 & XP 4 Gaming *sniffs
Posts: 101

Rep: Reputation: 16
If i run with nowonmai's script and modify it the way I read it......
-I made the following changes because it sounds like you are running External Facing DNS
-You dont want to spam the logs and create a D.O.S
-You can't have -o lo on the INPUT chain (probably a typo)
-Blocked MSN and AOL (Only if we are the gateway / But we aren't because we havent written any NAT'ing rules, so the last 2 lines are probably useless anyway)
-Set the variable $IPT

Anyway there are a million different ways to do things, this is just two of them.

Code:
IPT=/usr/sbin/iptables
#flush
$IPT -F

#set policies
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -A INPUT -i lo -p all -j ACCEPT
$IPT -A OUTPUT -o lo -p all -j ACCEPT

# internal net
$IPT -A INPUT -i eth0 -p tcp -m multiport --dports 22,25,53,80,110,3128 -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# external net
$IPT -A INPUT -i eth1 -p tcp --dport 22 -s A.B.C.D -i eth1 -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp -m multiport --dports 25,53,80 -j ACCEPT
$IPT -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i eth1 -m limit --limit 20/minute -j LOG
$IPT -A INPUT -i eth1 -j DROP

$IPT -A OUTPUT -i eth1 -p tcp --dport 1863 -j REJECT   #Block MSN Port
$IPT -A OUTPUT -i eth1 -p tcp --dport 5190 -j REJECT   #Block AOL Port

Last edited by cam34; 07-03-2009 at 11:50 PM.
 
  


Reply

Tags
can, firewall, send


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
problem with iptables firewall for web server author_unknown Linux - Networking 3 05-17-2009 12:23 AM
iptables firewall for web server author_unknown Linux - Networking 7 05-16-2009 08:35 AM
IPtables: Can not access web server from outside the firewall livetoday Red Hat 2 12-31-2007 04:40 AM
Safest way to setup my Firewall, E-mail & Web Server matthew.collins Linux - Security 3 06-17-2004 05:38 PM
Help! ipchain & iptables not working teddie Linux - Security 3 10-14-2001 05:21 PM


All times are GMT -5. The time now is 04:06 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration