Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 4th May 2012, 22:41
alyarb alyarb is offline
Junior Member
 
Join Date: May 2012
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default help me find iptables file and harden my server

Hey guys, I am pretty new to linux in general but I really like ISPConfig so we are using that for a few services...

I set up a VM and followed this guide exactly:

http://www.howtoforge.com/perfect-se...ot-ispconfig-3

so now that everything is setup, I need to put together the strictest firewall that I can while still giving myself access to the necessary ports.

I really despise the firewall configurator that you get to by browsing to System -> Firewall -> Basic. As far as I can see, all you can do is open or close ports with it, which is not going to be flexible enough for me.

I got excited when I hit the Monitor tab, at the very bottom, you can hit "show IPTables" and it will show you the iptables rules that are in effect. I want to add and modify rules to this file with the iptables commands that I know how to write.

Here's what is there now:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N INT_IN
-N INT_OUT
-N PAROLE
-N PUB_IN
-N PUB_OUT
-N fail2ban-dovecot-pop3imap
-N fail2ban-pureftpd
-N fail2ban-ssh
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 208.66.47.19/32 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -i eth+ -j PUB_IN
-A INPUT -i ppp+ -j PUB_IN
-A INPUT -i slip+ -j PUB_IN
-A INPUT -i venet+ -j PUB_IN
-A INPUT -i bond+ -j PUB_IN
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -o eth+ -j PUB_OUT
-A OUTPUT -o ppp+ -j PUB_OUT
-A OUTPUT -o slip+ -j PUB_OUT
-A OUTPUT -o venet+ -j PUB_OUT
-A OUTPUT -o bond+ -j PUB_OUT
-A INT_IN -p icmp -j ACCEPT
-A INT_IN -j DROP
-A INT_OUT -p icmp -j ACCEPT
-A INT_OUT -j ACCEPT
-A PAROLE -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A PUB_IN -p tcp -m tcp --dport 20 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 21 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 25 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 53 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 110 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 143 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 443 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 993 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 995 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 3306 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 8080 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 8081 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 10000 -j PAROLE
-A PUB_IN -p udp -m udp --dport 53 -j ACCEPT
-A PUB_IN -p udp -m udp --dport 3306 -j ACCEPT
-A PUB_IN -p icmp -j DROP
-A PUB_IN -j DROP
-A PUB_OUT -j ACCEPT
-A fail2ban-dovecot-pop3imap -j RETURN
-A fail2ban-pureftpd -j RETURN
-A fail2ban-ssh -j RETURN

But of course I want to only allow HTTP/HTTPS to clients, and restrict every other service to only a couple of source addresses that we use for administration. So I assume this iptables rule file is just a text file somewhere that I can get to? But where?

Also, I want to learn more about fail2ban and how I can permanently ban repeat offenders.

Thanks!
Reply With Quote
Sponsored Links
  #2  
Old 5th May 2012, 12:32
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
 
Default

The firewall rules you see are generated by ISPConfig's firewall (plus a few fail2ban rules). I don't know if you can achieve what you want with that firewall, however, you can check out its configuration - it's in the /etc/Bastille directory.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 20:53.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.