Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
info:hosting:basics:firewalls [2018/01/09 12:39] Thibmo |
info:hosting:basics:firewalls [2018/01/10 11:28] Thibmo |
||
---|---|---|---|
Line 5: | Line 5: | ||
On this page we will provide samples based on Linux's IPTables, as this is what's commonly used for Linux webservers. | On this page we will provide samples based on Linux's IPTables, as this is what's commonly used for Linux webservers. | ||
+ | |||
+ | <WRAP center round important> | ||
+ | To follow this example you are required to login as user root.\\ | ||
+ | If you don't have the password of the root user you can use __//sudo//__ instead. | ||
+ | </WRAP> | ||
+ | |||
===== Creating A Persistent Rule File ===== | ===== Creating A Persistent Rule File ===== | ||
Line 16: | Line 22: | ||
- Edit your firewall configuration file: <code bash>nano /etc/iptables.up.rules</code> | - Edit your firewall configuration file: <code bash>nano /etc/iptables.up.rules</code> | ||
- Set the file's contents to: <code bash>*filter | - Set the file's contents to: <code bash>*filter | ||
- | :OUTPUT ACCEPT [0:0] | ||
- | :INPUT DROP [0:0] | ||
:FORWARD ACCEPT [0:0] | :FORWARD ACCEPT [0:0] | ||
- | # Accept ACK | + | :INPUT DROP [0:0] |
- | -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT | + | :OUTPUT ACCEPT [0:0] |
# Accept Established | # Accept Established | ||
-A INPUT -m state --state ESTABLISHED -j ACCEPT | -A INPUT -m state --state ESTABLISHED -j ACCEPT | ||
Line 39: | Line 43: | ||
# Accept ICMP 12 | # Accept ICMP 12 | ||
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT | -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT | ||
+ | # Accept FTP(S) | ||
+ | -A INPUT -p tcp -m tcp --dport 20:21 -j REJECT | ||
# Accept SSH To Host | # Accept SSH To Host | ||
- | # -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | + | -A INPUT -p tcp -m tcp -d <Host main IP address> --dport 22 -j ACCEPT |
# Accept IDENT | # Accept IDENT | ||
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT | -A INPUT -p tcp -m tcp --dport 113 -j ACCEPT | ||
Line 49: | Line 55: | ||
# Drop sensitive ports | # Drop sensitive ports | ||
-A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP | -A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP | ||
- | COMMIT | ||
+ | COMMIT | ||
*nat | *nat | ||
:OUTPUT ACCEPT [0:0] | :OUTPUT ACCEPT [0:0] | ||
Line 57: | Line 63: | ||
:INPUT ACCEPT [0:0] | :INPUT ACCEPT [0:0] | ||
COMMIT | COMMIT | ||
- | |||
*mangle | *mangle | ||
:POSTROUTING ACCEPT [0:0] | :POSTROUTING ACCEPT [0:0] | ||
Line 66: | Line 71: | ||
COMMIT | COMMIT | ||
</code> | </code> | ||
+ | |||
+ | ===== Adding more rules ===== | ||
+ | There are plenty of tutorials out there.\\ | ||
+ | Here a few examples:\\ | ||
+ | [[https://www.thegeekstuff.com/2011/06/iptables-rules-examples|thegeekstuff.com]]\\ | ||
+ | [[https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands|digitalocean.com]] | ||
+ | |||
+ | For this configuration file you need to truncate both __//sudo//__ and __//iptables//__ from the start of the command.\\ | ||
+ | To apply these new rules you need to perform one of the following tasks: | ||
+ | * Reload your network stack: <code bash>iptables -F; service networking restart</code> | ||
+ | * Restore the config directly: <code bash>iptables -F; iptables-restore < /etc/iptables.up.rules</code> | ||