Quote:
Originally Posted by Ghillie-Up
So I have a set of firewall rules ready for a plesk instance on a CentOS6 box.
|
If you can please avoid using web-based management panels. If you do use one then please realize being able to click yes/no buttons does not an admin make. Know the weaknesses of your system, its software and how to avoid or mitigate those.
Quote:
Originally Posted by Ghillie-Up
Can someone explain to me where the various syntax should be placed within a IPtables config. for example like Cisco are Rules read top to bottom with a deny all usually at the end?
|
It may require a bit of reading but there is no iptables tutorial more comprehensive than
https://www.frozentux.net/documents/iptables-tutorial/, period. Indeed iptables rules when loaded are parsed first-to-last. (For example 'iptables -t filter -nL
--line-numbers' will show the order.)
Quote:
Originally Posted by Ghillie-Up
Here is my current list
|
Couple of things in random order:
- If this is a regular web server then you should not forward traffic so a "-P FORWARD DROP" policy should be enough.
- You already use "--state ESTABLISHED" so also use "-m state --state NEW" to denote new connections.
- Avoid exposing certain ports like MySQL until you need to. When you do, try to limit them to IP addresses or subnets.
- Don't expose Plesk to world and limit it to your management IP (range), period. (Even better would be to use SSH with pubkey auth and tunnel for access.)
- Avoid exposing non-SSL ports like FTP, POP3, IMAP, etc, etc.
- I usually have loopback as the first device (and its allowed always) to get it out of the way. That way you know all other rules apply to all other Ethernet devices unless specified different.
- While having "--state INVALID" in the OUTPUT chain is laudable I'd rather you filter out bogon networks and ports you don't want to see traffic to like IRC, Bittorrent, etc, etc.
- Setting "-m connlimit" on TCP/80 is nice but you forgot TCP/443 and any other services users can access. Note the lower in the stack you can limit potential abuse the less chance it has of "hurting" application layer services.
- Note you can specify multiple ports in one line using "-m multiport --dports 20,21,22" etc, etc. (Yes, you also can combine multiple modules like "-m connlimit something -m multiport something".)
If you've read the frozentux tutorial and dig what I've said re-post your modified rule set.