Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19
Glance Over My IPTABLES Config, Will You?
Results 1 to 2 of 2

Thread: Glance Over My IPTABLES Config, Will You?

Hybrid View

  1. #1
    Junior Member
    Join Date
    Jun 2001
    Location
    Melbourne, Australia
    Posts
    94

    Glance Over My IPTABLES Config, Will You?

    I'm just about to put some servers on teh interweb, so need to tighten them up a bit. These are the rules that I have for my SMTP/Web server, as generated by Webmin.

    eth0 has a public IP, and is connected directly to teh interweb. On this interface, the machine should only accept traffic for ports 25, 80, and 222 (ssh).

    eth1 has a non-public IP address, and is connected to the LAN. I am not bothered about what traffic is accepted here.

    Does the line "-A INPUT ! -i eth0 -j ACCEPT" mean that traffic is accepted if input interface is not eth0?

    And if this machine is not going to be NATing, do I need sections "*nat" and "*mangle"?

    Here are my rules. Any help/comment appreciated.


    # Generated by iptables-save v1.2.11 on Mon Dec 11 15:00:22 2006
    *nat
    :PREROUTING ACCEPT [16:2141]
    :POSTROUTING ACCEPT [4:283]
    :OUTPUT ACCEPT [4:283]
    COMMIT
    # Completed on Mon Dec 11 15:00:22 2006
    # Generated by iptables-save v1.2.11 on Mon Dec 11 15:00:22 2006
    *mangle
    :PREROUTING ACCEPT [598:613490]
    :INPUT ACCEPT [594:613314]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [422:36314]
    :POSTROUTING ACCEPT [422:36314]
    COMMIT
    # Completed on Mon Dec 11 15:00:22 2006
    # Generated by iptables-save v1.2.11 on Mon Dec 11 15:00:22 2006
    *filter
    :FORWARD ACCEPT [0:0]
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    # Accept traffic from internal interfaces
    -A INPUT ! -i eth0 -j ACCEPT
    # Accept traffic with the ACK flag set
    -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
    # Allow incoming data that is part of a connection we established
    -A INPUT -m state --state ESTABLISHED -j ACCEPT
    # Allow data that is related to existing connections
    -A INPUT -m state --state RELATED -j ACCEPT
    # Accept responses to DNS queries
    -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
    # Accept responses to our pings
    -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
    # Accept notifications of unreachable hosts
    -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
    # Accept notifications to reduce sending speed
    -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
    # Accept notifications of lost packets
    -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
    # Accept notifications of protocol problems
    -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
    # Accept SMTP traffic
    -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
    # My own special SSH Rule
    -A INPUT -p tcp -m tcp --dport 222 -j ACCEPT
    # Web Server
    -A INPUT -p tcp -m tcp -i eth0 --dport 80 -j ACCEPT
    COMMIT
    # Completed on Mon Dec 11 15:00:22 2006

    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  2. #2
    Newbie
    Join Date
    Dec 2006
    Location
    Bergen County, NJ, US
    Posts
    8
    I love webmin, but maybe you should consider something purpose-made to build rules... what distro are you using?

    I've heard good things about fwbuilder, not to mention trying whatever your distro's builtin firewall tool is.

    Also, if you're just putting them on the web, remember to go through the normal security precautions... just a quick reminder - disable all services not needed, disable WAN pings, disable telnet, disable root SSH logins, disable finger, disable rsync (if not needed), if you need FTP try SFTP if you can, if you need SSH then lock it down to only the minimum users, etc.

    Also, I just came by a tool called DenyHosts which seems really good... if you use SSH, it adds any host with more than X (defined in config files) failed logins to hosts.deny

    Good luck.

Similar Threads

  1. gdm config
    By N0thing in forum General Chat
    Replies: 3
    Last Post: 12-21-2004, 05:54 AM
  2. Rhythmbox Config
    By GhostDawg in forum Linux - Software, Applications & Programming
    Replies: 6
    Last Post: 11-10-2003, 04:51 PM
  3. SMB config on RH9.0
    By Blaqb0x in forum Linux - Hardware, Networking & Security
    Replies: 2
    Last Post: 07-28-2003, 05:43 PM
  4. RH8 Mail config
    By neiljr in forum Linux - Software, Applications & Programming
    Replies: 7
    Last Post: 11-26-2002, 01:10 PM
  5. Has anyone used the gui config tool for iptables?
    By noblestknight in forum Linux - Software, Applications & Programming
    Replies: 6
    Last Post: 02-01-2002, 01:33 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •