Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Technical

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 14th November 2009, 13:43
Emil M Emil M is offline
Junior Member
 
Join Date: Nov 2009
Posts: 10
Thanks: 3
Thanked 0 Times in 0 Posts
Default IPTables or any other firewall for server

Sorry, not quite sure where to poste this. I have a server that's running:

Webserver (http, https)
Mailserver (pop3s, imaps smtp)
FTP server (Explicit SFTP)
Databaseserver (no remote access)
SSH

Could there be any tutorial in here that fits my needs? I've no experience with iptables so far and everytime i tried i mess something (I basically try to block all ports except those I've read these services use)
Reply With Quote
Sponsored Links
  #2  
Old 15th November 2009, 13:50
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,711
Thanks: 1,900
Thanked 2,702 Times in 2,545 Posts
Default

You could install some kind of wrapper scriot like shorewall or Bastille - they make it easy to configure iptables.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 17th November 2009, 15:31
id10t id10t is offline
Senior Member
 
Join Date: Nov 2008
Posts: 237
Thanks: 2
Thanked 22 Times in 22 Posts
Default

I like using ufw - very simple syntax

ufw allow 80

or if your service has keywords associated wtih it

ufw allow http
__________________
I'm a very happy linode.com customer, I'm sure you will be too!
Reply With Quote
The Following User Says Thank You to id10t For This Useful Post:
Emil M (18th November 2009)
  #4  
Old 18th November 2009, 02:27
Emil M Emil M is offline
Junior Member
 
Join Date: Nov 2009
Posts: 10
Thanks: 3
Thanked 0 Times in 0 Posts
Default

Thanks. Works very well.. Can I limit port 22 / SSH to only some IPs?
Reply With Quote
  #5  
Old 18th November 2009, 09:13
damir damir is offline
Senior Member
 
Join Date: Jun 2006
Posts: 375
Thanks: 11
Thanked 51 Times in 42 Posts
Default

This should work (change the IP):
Code:
sudo ufw allow proto tcp from 192.168.0.2 to any port 22
Reply With Quote
  #6  
Old 2nd December 2009, 03:28
btomasik btomasik is offline
Junior Member
 
Join Date: Nov 2009
Posts: 18
Thanks: 2
Thanked 0 Times in 0 Posts
 
Default

This would be an example of a simple firewall doing exactly as you asked. Further complex configurations such as with logging, NAT, rate limiting, QoS, etc.. are not difficult and operate very similarly. Just remember iptables used to be called ipchains because essentially an incoming packet goes down it's initial chain (INPUT or FORWARD) until either 1. explicitly accepted 2. explicitily DROP/REJECT 3. is passed off to another chain. And if it meets no specific action (or jump [ie -j ACCEPT]) then it follows the default policy specified by running "iptables -P {INPUT,OUTPUT,FOWARD} {ACCEPT,DROP,REJECT}"

With that, consider the following:
Code:
#!/bin/bash

IPT=/sbin/iptables

# Accept all RELATED or ESTABLISHED tcp packets
$IPT -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow new http/https connections
$IPT -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

# Allow new smtp,pop3s,imaps
$IPT -A INPUT -p tcp -m multiport --dports 25,465,993 -j ACCEPT

# Allow new ftps connections
$IPT -A INPUT -p tcp -m multiport --dports 989,990 -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dports 989,990 -j ACCEPT

# Allow new SSH connection from ENTIRE internet
#$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow new SSH conn from only <IP>
$IPT -A INPUT -p tcp -s <IP> --dport 22 -j ACCEPT


####
# The below code will ensure that no other incoming
# packets are accepted nor packets that could be
# destined for FORWARD'ing to other machines.
####
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Howto analyse a IPTables firewall issue? chillifire Installation/Configuration 2 27th August 2008 07:23
Iptables gateway with one lan adapter tsmr Installation/Configuration 1 7th August 2008 12:02
IPtables rule to let PPTP access LAN brianwebb01 Installation/Configuration 0 1st May 2008 21:23
RedHat AS 4 firewall iptables question. fbifido Installation/Configuration 2 9th November 2007 22:13
Match IP with MAC using iptables for squid block cooljai Server Operation 0 30th August 2007 18:30


All times are GMT +2. The time now is 17:50.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.