Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | Next revision Both sides next revision | ||
|
info:hosting:basics:firewalls [2018/01/09 10:35] Thibmo |
info:hosting:basics:firewalls [2018/01/09 12:39] Thibmo |
||
|---|---|---|---|
| Line 2: | Line 2: | ||
| {{page>:disclaimer_widget&noheader&nofooter&noeditbtn}} | {{page>:disclaimer_widget&noheader&nofooter&noeditbtn}} | ||
| This topic will contain some information about firewalls and how to set them up.\\ | This topic will contain some information about firewalls and how to set them up.\\ | ||
| + | The trick with firewalls is to block everything by default, and only allow the traffic that you wish to handle. | ||
| + | |||
| + | On this page we will provide samples based on Linux's IPTables, as this is what's commonly used for Linux webservers. | ||
| + | |||
| + | ===== Creating A Persistent Rule File ===== | ||
| + | **Debian/Ubuntu:** | ||
| + | - Create a new empty file: <code bash>touch /etc/iptables.up.rules</code> | ||
| + | - Edit your interface configuration file: <code bash>nano /etc/network/interfaces</code> | ||
| + | - Append your main interface with the following rule: <code bash> post-up iptables-restore < /etc/iptables.up.rules</code> | ||
| + | |||
| + | ===== Default Set Of Rules ===== | ||
| + | **Debian/Ubuntu:** | ||
| + | - Edit your firewall configuration file: <code bash>nano /etc/iptables.up.rules</code> | ||
| + | - Set the file's contents to: <code bash>*filter | ||
| + | :OUTPUT ACCEPT [0:0] | ||
| + | :INPUT DROP [0:0] | ||
| + | :FORWARD ACCEPT [0:0] | ||
| + | # Accept ACK | ||
| + | -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT | ||
| + | # Accept Established | ||
| + | -A INPUT -m state --state ESTABLISHED -j ACCEPT | ||
| + | # Accept Related | ||
| + | -A INPUT -m state --state RELATED -j ACCEPT | ||
| + | # Accept DNS return | ||
| + | -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT | ||
| + | # Accept ICMP 0 | ||
| + | -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT | ||
| + | # Accept ICMP 3 | ||
| + | -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT | ||
| + | # Accept ICMP 4 | ||
| + | -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT | ||
| + | # Accept ICMP 8 | ||
| + | -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | ||
| + | # Accept ICMP 11 | ||
| + | -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT | ||
| + | # Accept ICMP 12 | ||
| + | -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT | ||
| + | # Accept SSH To Host | ||
| + | # -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | ||
| + | # Accept IDENT | ||
| + | -A INPUT -p tcp -m tcp --dport 113 -j ACCEPT | ||
| + | # Drop sensitive ports | ||
| + | -A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP | ||
| + | # Drop sensitive ports | ||
| + | -A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP | ||
| + | # Drop sensitive ports | ||
| + | -A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP | ||
| + | COMMIT | ||
| + | |||
| + | *nat | ||
| + | :OUTPUT ACCEPT [0:0] | ||
| + | :POSTROUTING ACCEPT [0:0] | ||
| + | :PREROUTING ACCEPT [0:0] | ||
| + | :INPUT ACCEPT [0:0] | ||
| + | COMMIT | ||
| + | |||
| + | *mangle | ||
| + | :POSTROUTING ACCEPT [0:0] | ||
| + | :PREROUTING ACCEPT [0:0] | ||
| + | :FORWARD ACCEPT [0:0] | ||
| + | :OUTPUT ACCEPT [0:0] | ||
| + | :INPUT ACCEPT [0:0] | ||
| + | COMMIT | ||
| + | </code> | ||
