Iptables Issue

Ubuntu Client · 06-08-2011, 03:03 AM

Hi,

My VPS host a mail, blog and web site. So i want to block port i not use.

The port that i use is 80,21,2022,443. The other port will be drop. I want to block bad packet and all packet that not related.

Can anyone how to write in iptables?

Thanks.

Ubuntu Client · 06-08-2011, 03:07 AM

Which NIC i need to put in iptables?

Code:

root@mail:/var/log# ifconfig
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:127.0.0.1  P-t-P:127.0.0.1  Bcast:0.0.0.0  Mask:255.255.255.255
          inet6 addr: ::1/128 Scope:Host
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:746732 errors:0 dropped:0 overruns:0 frame:0
          TX packets:706651 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:719442843 (719.4 MB)  TX bytes:792234432 (792.2 MB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:184.22.xxx.xxx  P-t-P:184.22.xxx.xxx  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

venet0:1  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:184.22.xxx.xxx  P-t-P:184.22.xxx.xxx  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

Lexus45 · 06-09-2011, 01:57 AM

Block everything by default, at least incoming (iptables -P INPUT DROP).
Allow all traffic at lo interface: it's needed by some programes. But as you have 2 interfaces with 127.0.0.1 address, you may use this address (and not interface name) when creating your rules. Of course you may also use intarfaces' names in conjunction with their IP addresses and it'll be better.

I think, 'mirrorred' interfaces are the result of virtualization.

Allow only what you need, p.e.:

Code:

iptables -A INPUT -d <your_ip> --dport 80 -j ACCEPT

As you see, you may omit the '-i' or '-o' options, which means 'incoming intarface' (or outgoing, respectively). It's not obligatory.

But be careful: you're using VPS. I'm not sure that it's somewhere near you and you have access to its console in case of making a mistake in the firewall rules and losing access to your VPS ;-)

PS: so, the idea is to allow all traffic from 127.0.0.1 and vice versa, and to filter on other interfaces, which are not loopback.
PS2: I was a little bit shocked when read that you run mail and LAMP services, but don't use iptables.