Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 6th February 2014, 11:49
ledzgio ledzgio is offline
Junior Member
 
Join Date: Feb 2014
Posts: 3
Thanks: 2
Thanked 0 Times in 0 Posts
 
Default Change IP Tables rules with ISPConfig3

Hi all,

by default ISPConfig3 sets the default iptables rules which, in my case, are:

iptables -L:

Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps
fail2ban-pureftpd tcp -- anywhere anywhere multiport dports ftp
fail2ban-sasl tcp -- anywhere anywhere multiport dports smtp
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-dovecot-pop3imap (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-pureftpd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-sasl (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

which seems to accept all the connections (if I am not wrong).

I would like to apply a more restrictive iptables rules, for example something like the following:

*filter

# allow loopback traffic
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# allow established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow outbound traffic
-A OUTPUT -j ACCEPT

# allow running services
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
-A INPUT -p tcp --dport 110 -j ACCEPT

# allow SSH on port 22
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# log denied iptables calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# denie all the remaining inbound traffic
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

Can I completely change the rule file? how can I merge the two without lost the fail2ban rules?

Thank you very much.
Reply With Quote
Sponsored Links
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
New feature request: Frame redirect funtion for ISPConfig3 Hans Feature Requests 1 12th January 2011 00:43
Problems with installing SSL-certifates on ISPConfig3 slaveservers Hans General 4 5th October 2010 12:22
Content Filter Rules atjensen11 Installation/Configuration 1 2nd September 2009 10:05
Spamsnake - Problem with spamassassin, FuzzyOcr and MySQL debuguser HOWTO-Related Questions 6 16th September 2008 18:37
Virtual Users with Postfix/Courier/Amavis etc...Quarantine? volksman HOWTO-Related Questions 9 30th January 2008 11:53


All times are GMT +2. The time now is 16:41.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.