Firewall Rules for daemons (Iptables)
When running daemons on ports like, SMTP, HTTP, POP-3, etc, what are some of the more secure firewall rules...
For example, Iptables -A INPUT -p tcp --dport 22, opens up port 22 for ssh. Is that all I need or should I be more restrictive? Another example, Iptables -A INPUT -p tcp --dport 80 vs. Iptabes -A INPUT -i extif -m state --state \ NEW,ESTABLISHED,RELATED -p tcp -s -d extip --dport 80 -j ACCEPT This would make port 80 more secure by specifying only packets going to the external NIC (extif), on the external IP (extip) which are new, established or related connections, and destinted to port 80 are allowed. Do you want to be this restrictive with all your ports? - Thank you |
|
that appears to be a broken link...oops, no I just misread it
www.linuxguruz.org/iptables thank Noerr |
sorry; typo ;)
|
Re: Firewall Rules for daemons (Iptables)
Do you want to be this restrictive with all your ports?
IMO this depends on what's the boxes purpose. For instance if it's a "free for all" ssh shell server you wouldn't be able to go beyond blocking traffic anomalies (unroutables, bogoid flags) on --dport 22. OTOH, if you need to guarantee ppl access to it, then meditating on the "deny anything not explicitly allowed" mantra I'd set it up for the ranges ppl administer/access it from (if managable ofcourse). |
it's much more to firewall than just
-p drop -dport xx -J ACCEPT but it's good to be restrictive, if you want to play safe |
All times are GMT -5. The time now is 12:28 PM. |