is my iptables script enough already
I just wanna consult iptables guru if my script was enough and secured for a production. The iptables will be use for a web server and with 2 private machine (10.0.1.2 & 10.0.1.3) that will make the web server also a gateway for those two machine to access the Internet.
Anyone who wants to add, please let me know and please explain what is it for. If find no vulnerable, can anyone advise also. Please don't mind apache as it was not my responsibility anymore to secure it. I'm just wondering if someone try to hack,would it suffice enough? Thanks. Code:
#!/bin/bash |
Quote:
Quote:
- there's no bogon filtering, - there's no limiting (--recent or --limit), - you use "-j DROP" but as there is no "-j LOG" you will not be able to tell the rate of problems arising, - using "--policy OUTPUT ACCEPT" is good but the OUTPUT chain is unfiltered, meaning all traffic is allowed including traffic to bogon addresses, - what happens with any "-p udp" traffic? - would you detect any attacks against Perl, PHP, Ruby or any other web stack component using these filter rules? (No.) - since you run a web server, what is going to happen if it gets DOSsed? - If you're using SSH from the outside it's best to protect that using methods descriped in the Failed SSH login attempts thread. - If you've got /etc/sysctl.conf I'd separate sysctls from the shell script. Centrally stored it's easier to manage, more efficient. - Please always keep the http://www.frozentux.net/documents/iptables-tutorial/ as reference. - Do always test your ruleset from the outside using a good packet generator. - Do use a log watching tool like Logwatch. - Do deploy defensive measures when running a web server (mod_security etc). - Do not run unchecked, vulnerable, outdated, unsupported scripts or web applications. |
Quote:
Code:
iptables -A INPUT -m tcp -p tcp -i eth0 --sport $UNPRIVPORTS -d $ext_ipaddr --dport 80 -m state --state NEW,ESTABLISHED -m limit --limit 20/sec --limit-burst=30 -j ACCEPT Quote:
Code:
iptables -A INPUT -p tcp -i eth0 -j LOG_DROP Code:
echo "Define custome chain" Quote:
Code:
iptables -A INPUT -p udp -i eth0 -j LOG_DROP Quote:
Quote:
|
Quote:
Thanks |
All times are GMT -5. The time now is 08:53 AM. |