Are these iptables rules enough for a web server?
Hello,
I have a server running Apache, Tor (Port 9050) and OpenVPN (Port 2024). Are the following iptables rules good and sufficient? Code:
-P INPUT DROP Code:
# Allow incoming HTTP 2- When you want to use HTTPS, is port 80 necessary? Thank you. |
It looks like you leave the loopback interface open for spoofing. It should only accept input and output to and from its own address range.
Why are you rate limiting HTTPS and not HTTP? You also risk locking yourself out with SSH if you fat finger the IP address range or need to log in from another. That should be open but the authentication limited to only either keys or certificates with password authentication off. Port 80 (HTTP) is necessary with HTTPS if you are setting up Let's Encrypt certificates for your TLS. The CertBot, or other method, will need to occasionally publish something for verification. Since you default a generic output policy of Allow, then the extra lines explicitly allowing HTTP and HTTPS are not needed. If you turn the output policy to Drop, then you will need to also open up outgoing DNS and presumably SMTP or other operational services. A loose set of rules which could be converted: Code:
#!/usr/sbin/nft -f include "/etc/nftables.d/*.nft" |
Quote:
Thank you so much for your reply. Quote:
Quote:
Quote:
Are the following lines necessary? Code:
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT |
All times are GMT -5. The time now is 05:41 AM. |