Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Here is my script, i can access my server from my LAN but not form the outside world. Also i notice that i can ping my own ip but not my gateway therefore i don;t have any connection to the outside world either. Any help is more than welcome.
#!/bin/bash
# script author :* cirano
# DATE :********** 04/14/08
SERVER_IP="10.10.11.161"
IPT="/sbin/iptables"
# flush iptables
# The following rules will clear out any existing firewall rules,
# and any chains that might have been created.
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
# $IPT -F -t mangle
# $IPT -F -t nat
$IPT -X
# These will setup our policies.
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
# INPUT
# Always accept connections for lo which is your local loopback 127.0.0.1
$IPT -A INPUT -i lo -j ACCEPT
# connection states
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# ftp
$IPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
# SSH
# rate-limit all incoming SSH connections to 8 in a one minute
# brute force attacks will be dropped , limiting the number of possible account
# combinations from unlimited, to 8.
$IPT -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
$IPT -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -j LOG --log-prefix "New SSH Request "
# http
$IPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# Rule to enable ICMP ping incoming client requesT.
$IPT -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $SERVER_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 0 -s $SERVER_IP -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# My webmin custom port
$IPT -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
# end webmin
I found out that SELinux was blocking me, according to this link http://www.howtoforge.com/perfect-server-fedora-10-p3 i disable it and problem solved.
Now im trying to modify my script to block DoS attacts, any good idea?
I found out that SELinux was blocking me, according to this link http://www.howtoforge.com/perfect-server-fedora-10-p3 i disable it and problem solved.
Now im trying to modify my script to block DoS attacts, any good idea?
THnks
Cirano
Checkout www.netfilter.org, a great resource of iptables scripts and information. Many of the scripts have a lot of logging and limiting of data packets to stop Dos attacks and others types of nasty stuff.
If you would like more security, look into TCPWrappers, which is installed on all linux distros. If you running a webserver, you definitely need to run mod-security, it's IDS for apache webservers, blocks in realtime.
Also look at running scripts or programs that scan your log files for any security alerts, most of these will also email you when a threat is detected.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Advertisement
Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Click Here to receive a complimentary subscription courtesy of LQ.
