LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-01-2004, 06:44 PM   #1
ridertech
Member
 
Registered: Dec 2003
Location: Seattle, Washington
Distribution: Debian 'Sarge'
Posts: 85

Rep: Reputation: 15
iptables for dedicated www server (one nic)


I'm building up from a clean install and was wondering if the rules listed below are secure for a dedicated web server (only one nic). First time and just wanted to confirm...

// DROP everything by policy
iptables -p INPUT DROP
iptables -p OUTPUT DROP
iptables -p FORWARD DROP

// ACCEPT all internal traffic on loopback
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A INPUT -j ACCEPT -i lo

// ACCEPT HTTP
iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -dport 80 -j ACCEPT

// ACCEPT HTTPS
iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -dport 443 -j ACCEPT

// ACCEPT SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p udp --sport 22 -j ACCEPT

I also see a future need for FTP, but I've read that it is not a good idea. Any input on that subject as well would be appreciated.
 
Old 01-02-2004, 03:50 AM   #2
Technoslave
Member
 
Registered: Dec 2003
Location: Northern VA
Posts: 493

Rep: Reputation: 30
Personally:

iptables -P INPUT DROP

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT

But if you like your way better...

Also, just of note, on your drops that you have up front, those need to be cap P, not lower case.
 
Old 01-02-2004, 04:45 AM   #3
apeekaboo
Member
 
Registered: Apr 2003
Location: Stockholm/Sweden
Distribution: Kubuntu, Debian, Slax
Posts: 91

Rep: Reputation: 16
ridertech:
Do you need outbound ssh/http/https?
Otherwise you could skip that as well.

As a replacement for ftp I suggest you use sftp which is included in the ssh suite.
Although this will not work if you're planning on setting up an anonymous ftp server (which is usually a bad on any server running anything but just the ftp daemon)

I've seen a php script called Jabba's PHP Traverser, which gives read access via a web interface, to directories of your choice.
I have no idea if this is a secure solution, but it might be a good idea to check it out if only read access is required...
 
Old 01-02-2004, 07:21 AM   #4
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
In addition, you may want to filter your incoming SSH connections to just the sites that you will be connecting from. Right now anyone with a client can make an attempt to login.

Last edited by stickman; 01-02-2004 at 07:24 AM.
 
Old 01-02-2004, 10:27 PM   #5
ridertech
Member
 
Registered: Dec 2003
Location: Seattle, Washington
Distribution: Debian 'Sarge'
Posts: 85

Original Poster
Rep: Reputation: 15
Thanks, I started over with a completely open firewall, then added the following...

iptables -P INPUT DROP

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 888.888.888.888 -j ACCEPT

iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -o lo -j ACCEPT

What do I need to add to be able to use apt-get? It currently just hangs when trying to connect.
 
Old 01-02-2004, 10:45 PM   #6
ridertech
Member
 
Registered: Dec 2003
Location: Seattle, Washington
Distribution: Debian 'Sarge'
Posts: 85

Original Poster
Rep: Reputation: 15
Also, I've been seeing examples of scripts that setup the firewall upon boot, rather than entering these rules in line by line. Assuming that the syntax is the same, where do I put the file and how does the script get run? What happens if the script is not found for some reason, will the firewall be completely open?
 
Old 01-03-2004, 12:46 AM   #7
Technoslave
Member
 
Registered: Dec 2003
Location: Northern VA
Posts: 493

Rep: Reputation: 30
Here's a link to an old iptables I had setup.

I never liked the initial config file for iptables, was always hard to read, so I created this. I have it residing in my /etc/init.d, it's called iptables, that way I didn't have to create any link to actually start it up. Otherwise you'll have to make a link like per normal startup script.

Anyway, if you have any questions about it, let me know.

Last edited by Technoslave; 01-03-2004 at 12:55 AM.
 
Old 01-03-2004, 02:12 AM   #8
jerky
Member
 
Registered: Jul 2003
Distribution: RH 7.3 , RH9,RHEL,FC
Posts: 38

Rep: Reputation: 15
you can just make a script and have all your lines of iptables in it, and then just add a refernce to your script in your rc.local . Personnaly i like doing it this way, because it gets run last. And you know exactly whats been loaded and when.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Dedicated Server Distros (SME server and Censornet) Sugga Linux - General 2 09-22-2005 03:15 AM
Getting my first dedicated server Damainman Linux - Newbie 4 11-13-2003 04:48 PM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 06:08 AM
where to get UT dedicated server dkc_ace Linux - General 2 12-19-2002 07:11 AM
back-up of dedicated server ralfb Linux - Newbie 1 01-28-2002 08:25 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration