Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
info:hosting:basics:firewalls [2018/01/09 12:39] Thibmo |
info:hosting:basics:firewalls [2018/01/10 11:28] Thibmo |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| On this page we will provide samples based on Linux's IPTables, as this is what's commonly used for Linux webservers. | On this page we will provide samples based on Linux's IPTables, as this is what's commonly used for Linux webservers. | ||
| + | |||
| + | <WRAP center round important> | ||
| + | To follow this example you are required to login as user root.\\ | ||
| + | If you don't have the password of the root user you can use __//sudo//__ instead. | ||
| + | </WRAP> | ||
| + | |||
| ===== Creating A Persistent Rule File ===== | ===== Creating A Persistent Rule File ===== | ||
| Line 16: | Line 22: | ||
| - Edit your firewall configuration file: <code bash>nano /etc/iptables.up.rules</code> | - Edit your firewall configuration file: <code bash>nano /etc/iptables.up.rules</code> | ||
| - Set the file's contents to: <code bash>*filter | - Set the file's contents to: <code bash>*filter | ||
| - | :OUTPUT ACCEPT [0:0] | ||
| - | :INPUT DROP [0:0] | ||
| :FORWARD ACCEPT [0:0] | :FORWARD ACCEPT [0:0] | ||
| - | # Accept ACK | + | :INPUT DROP [0:0] |
| - | -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT | + | :OUTPUT ACCEPT [0:0] |
| # Accept Established | # Accept Established | ||
| -A INPUT -m state --state ESTABLISHED -j ACCEPT | -A INPUT -m state --state ESTABLISHED -j ACCEPT | ||
| Line 39: | Line 43: | ||
| # Accept ICMP 12 | # Accept ICMP 12 | ||
| -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT | -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT | ||
| + | # Accept FTP(S) | ||
| + | -A INPUT -p tcp -m tcp --dport 20:21 -j REJECT | ||
| # Accept SSH To Host | # Accept SSH To Host | ||
| - | # -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | + | -A INPUT -p tcp -m tcp -d <Host main IP address> --dport 22 -j ACCEPT |
| # Accept IDENT | # Accept IDENT | ||
| -A INPUT -p tcp -m tcp --dport 113 -j ACCEPT | -A INPUT -p tcp -m tcp --dport 113 -j ACCEPT | ||
| Line 49: | Line 55: | ||
| # Drop sensitive ports | # Drop sensitive ports | ||
| -A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP | -A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP | ||
| - | COMMIT | ||
| + | COMMIT | ||
| *nat | *nat | ||
| :OUTPUT ACCEPT [0:0] | :OUTPUT ACCEPT [0:0] | ||
| Line 57: | Line 63: | ||
| :INPUT ACCEPT [0:0] | :INPUT ACCEPT [0:0] | ||
| COMMIT | COMMIT | ||
| - | |||
| *mangle | *mangle | ||
| :POSTROUTING ACCEPT [0:0] | :POSTROUTING ACCEPT [0:0] | ||
| Line 66: | Line 71: | ||
| COMMIT | COMMIT | ||
| </code> | </code> | ||
| + | |||
| + | ===== Adding more rules ===== | ||
| + | There are plenty of tutorials out there.\\ | ||
| + | Here a few examples:\\ | ||
| + | [[https://www.thegeekstuff.com/2011/06/iptables-rules-examples|thegeekstuff.com]]\\ | ||
| + | [[https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands|digitalocean.com]] | ||
| + | |||
| + | For this configuration file you need to truncate both __//sudo//__ and __//iptables//__ from the start of the command.\\ | ||
| + | To apply these new rules you need to perform one of the following tasks: | ||
| + | * Reload your network stack: <code bash>iptables -F; service networking restart</code> | ||
| + | * Restore the config directly: <code bash>iptables -F; iptables-restore < /etc/iptables.up.rules</code> | ||
