plz give me some firewall(iptables or ipchain) for my dns,web & mail server
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
plz give me some firewall(iptables or ipchain) for my dns,web & mail server
i have install in a same IBM SERVER DNS,WEB(Apache),MAIL(Sendmail)in redhat enterprise 3 es but my firewall is very weak can anyone send me some firewall(iptables or ipchain) for my dns,web & mail server?Fahad
Hi Fahad... you'll need to provide a little more information.
What network interfaces are there?
Is the box directly internet facing or is there a f/w?
Do you need any shell access configured?
Do you use SSL on your webserver?
Is your DNS internal only?
Hi Fahad... you'll need to provide a little more information.
What network interfaces are there?
Is the box directly internet facing or is there a f/w?
Do you need any shell access configured?
Do you use SSL on your webserver?
Is your DNS internal only?
the infomations are:-
1.there is only one interface with isp.
2.there linux biuld in f/w.
3.yes there is shell/ssh access configure.
4.no there is no ssl on web server.
5.there are 2 dsn(primary & secondary)from the isp and also i hav configure NS for web & mail in same IBM server.
SSH access (we will assume open access internally and restrict access to one IP externally)
HTTPD access (no SSL)
Local DNS with forwarding to the specified DNS servers
No Routing
Internal i/face is eth0, external is eth1
POP access only internally
You will need the following rules...
Code:
#flush
IPTABLES -F
#set policies
IPTABLES -P INPUT DROP
IPTABLES -P OUTPUT ACCEPT
IPTABLES -P FORWARD DROP
IPTABLES -A INPUT -i lo -p all -j ACCEPT
IPTABLES -A INPUT -i lo -p all -j ACCEPT
# internal net
IPTABLES -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT
IPTABLES -A INPUT -p tcp --dport 80 -i eth0 -j ACCEPT
IPTABLES -A INPUT -p udp --dport 53 -i eth0 -j ACCEPT
IPTABLES -A INPUT -p tcp --dport 25 -i eth0 -j ACCEPT
IPTABLES -A INPUT -p tcp --dport 110 -i eth0 -j ACCEPT
# external net
IPTABLES -A INPUT -p tcp --dport 22 -s A.B.C.D -i eth1 -j ACCEPT
IPTABLES -A INPUT -p tcp --dport 80 -i eth1 -j ACCEPT
IPTABLES -A INPUT -p tcp --dport 25 -i eth1 -j ACCEPT
IPTABLES -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
IPTABLES -A INPUT -i eth1 -j LOG
IPTABLES -A INPUT -i eth1 -j DROP
That should get you started. You can look into more interesting features like connection tracking also.
A.B.C.D above is the IP of the host that is allowed to ssh to this server from outside. You can change this to CIDR notation if you don't have a fixed IP for this host.
how do i block it with proxy i mean squid....?????
thanks for that firewall
I am running my internet gateway with RedHat 9 and also running Transperent Proxy with squid.but i can't block msn and yahoo messenger...how do i block it with proxy i mean squid....?????
I doubt they're going through port 80 anyhow, so you'd be better off just blocking whatever domain they authenticate through in iptables.
Just drop everything with either a source of destination of the particular domain. If you use wireshark on your proxy, you can watch the authentication handshake in progress and take note of the domains.
Distribution: Fedora 22, Debian 8, Centos 6/7 for servers
Posts: 101
Rep:
If i run with nowonmai's script and modify it the way I read it......
-I made the following changes because it sounds like you are running External Facing DNS
-You dont want to spam the logs and create a D.O.S
-You can't have -o lo on the INPUT chain (probably a typo)
-Blocked MSN and AOL (Only if we are the gateway / But we aren't because we havent written any NAT'ing rules, so the last 2 lines are probably useless anyway)
-Set the variable $IPT
Anyway there are a million different ways to do things, this is just two of them.
Code:
IPT=/usr/sbin/iptables
#flush
$IPT -F
#set policies
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -A INPUT -i lo -p all -j ACCEPT
$IPT -A OUTPUT -o lo -p all -j ACCEPT
# internal net
$IPT -A INPUT -i eth0 -p tcp -m multiport --dports 22,25,53,80,110,3128 -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# external net
$IPT -A INPUT -i eth1 -p tcp --dport 22 -s A.B.C.D -i eth1 -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp -m multiport --dports 25,53,80 -j ACCEPT
$IPT -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth1 -m limit --limit 20/minute -j LOG
$IPT -A INPUT -i eth1 -j DROP
$IPT -A OUTPUT -i eth1 -p tcp --dport 1863 -j REJECT #Block MSN Port
$IPT -A OUTPUT -i eth1 -p tcp --dport 5190 -j REJECT #Block AOL Port
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.