-   Linux - Security (
-   -   Firewall Rules for daemons (Iptables) (

robeb 05-27-2002 06:15 PM

Firewall Rules for daemons (Iptables)
When running daemons on ports like, SMTP, HTTP, POP-3, etc, what are some of the more secure firewall rules...

For example,

Iptables -A INPUT -p tcp --dport 22,

opens up port 22 for ssh. Is that all I need or should I be more restrictive?

Another example,

Iptables -A INPUT -p tcp --dport 80


Iptabes -A INPUT -i extif -m state --state \ NEW,ESTABLISHED,RELATED -p tcp -s -d extip --dport 80 -j ACCEPT

This would make port 80 more secure by specifying only packets going to the external NIC (extif), on the external IP (extip) which are new, established or related connections, and destinted to port 80 are allowed.

Do you want to be this restrictive with all your ports?

- Thank you

Noerr 05-27-2002 06:40 PM

robeb 05-27-2002 07:54 PM

that appears to be a broken link...oops, no I just misread it

thank Noerr

Noerr 05-28-2002 04:27 AM

sorry; typo ;)

unSpawn 05-28-2002 01:20 PM

Re: Firewall Rules for daemons (Iptables)
Do you want to be this restrictive with all your ports?

IMO this depends on what's the boxes purpose.
For instance if it's a "free for all" ssh shell server you wouldn't be able to go beyond blocking traffic anomalies (unroutables, bogoid flags) on --dport 22. OTOH, if you need to guarantee ppl access to it, then meditating on the "deny anything not explicitly allowed" mantra I'd set it up for the ranges ppl administer/access it from (if managable ofcourse).

Noerr 05-31-2002 05:27 PM

it's much more to firewall than just
-p drop
-dport xx -J ACCEPT
but it's good to be restrictive, if you want to play safe

All times are GMT -5. The time now is 04:12 AM.