View Full Version : IPTables or any other firewall for server
Emil M
14th November 2009, 14:43
Sorry, not quite sure where to poste this. I have a server that's running:
Webserver (http, https)
Mailserver (pop3s, imaps smtp)
FTP server (Explicit SFTP)
Databaseserver (no remote access)
SSH
Could there be any tutorial in here that fits my needs? I've no experience with iptables so far and everytime i tried i mess something (I basically try to block all ports except those I've read these services use)
falko
15th November 2009, 14:50
You could install some kind of wrapper scriot like shorewall or Bastille - they make it easy to configure iptables.
id10t
17th November 2009, 16:31
I like using ufw - very simple syntax
ufw allow 80
or if your service has keywords associated wtih it
ufw allow http
Emil M
18th November 2009, 03:27
Thanks. Works very well.. Can I limit port 22 / SSH to only some IPs?
damir
18th November 2009, 10:13
This should work (change the IP):
sudo ufw allow proto tcp from 192.168.0.2 to any port 22
btomasik
2nd December 2009, 04:28
This would be an example of a simple firewall doing exactly as you asked. Further complex configurations such as with logging, NAT, rate limiting, QoS, etc.. are not difficult and operate very similarly. Just remember iptables used to be called ipchains because essentially an incoming packet goes down it's initial chain (INPUT or FORWARD) until either 1. explicitly accepted 2. explicitily DROP/REJECT 3. is passed off to another chain. And if it meets no specific action (or jump [ie -j ACCEPT]) then it follows the default policy specified by running "iptables -P {INPUT,OUTPUT,FOWARD} {ACCEPT,DROP,REJECT}"
With that, consider the following:
#!/bin/bash
IPT=/sbin/iptables
# Accept all RELATED or ESTABLISHED tcp packets
$IPT -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow new http/https connections
$IPT -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
# Allow new smtp,pop3s,imaps
$IPT -A INPUT -p tcp -m multiport --dports 25,465,993 -j ACCEPT
# Allow new ftps connections
$IPT -A INPUT -p tcp -m multiport --dports 989,990 -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dports 989,990 -j ACCEPT
# Allow new SSH connection from ENTIRE internet
#$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow new SSH conn from only <IP>
$IPT -A INPUT -p tcp -s <IP> --dport 22 -j ACCEPT
####
# The below code will ensure that no other incoming
# packets are accepted nor packets that could be
# destined for FORWARD'ing to other machines.
####
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
vBulletin® v3.8.7, Copyright ©2000-2012, vBulletin Solutions, Inc.