Securing system (was gibraltar, apache and samba at the same machine)
--> Install the "ipmasq" package. <--
I already installed that one... I'll put the firewall below
echo -n "IPTables Firewall."
IPTABLES="/sbin/iptables"
#FLUSH
echo -n " Flush all tables."
$IPTABLES --flush # Flush
all the rules in filter and nat tables
echo -n "."
$IPTABLES --table nat --flush
echo -n "."
$IPTABLES --delete-chain # Delete
all chains that are not in default filter and nat table
echo -n "."
$IPTABLES --table nat --delete-chain
echo ". done"
echo -n " Setting up masquerading rules."
# Set up IP FORWARDing and Masquerading
$IPTABLES --table nat --append POSTROUTING --out-interface eth0 -j
MASQUERADE echo -n "."
$IPTABLES --append FORWARD --in-interface eth1 -j ACCEPT # Assuming
one NIC to local LAN
echo ". done"
echo -n " Setting rules for loopback device."
# Allow loopback access. This rule must come before the rules denying port
access!!
$IPTABLES -A INPUT -i lo -p all -j ACCEPT # This rule is essential if you
want your own computer to be able to access itself throught the loopback
interface echo -n "."
$IPTABLES -A OUTPUT -o lo -p all -j ACCEPT
echo ". done"
echo -n " Setting rules for eth0 device."
# Accept established connections
$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo -n "."
#$IPTABLES -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with
tcp-reset #echo -n "."
# Open ftp port
$IPTABLES -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
echo -n "."
$IPTABLES -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
echo -n "."
# Open secure shell port
$IPTABLES -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
echo -n "."
$IPTABLES -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
echo -n "."
# Open HTTP port
$IPTABLES -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
echo -n "."
$IPTABLES -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
echo -n "."
$IPTABLES -A INPUT -p icmp -i eth0 -j ACCEPT
echo -n "."
echo ". done"
echo -n " Setting rules for eth0 device."
# Accept all incomming connections
$IPTABLES -A INPUT -i eth1 -p all -j ACCEPT
echo ". done"
echo -n " Drop all other connection attempts."
# Drop all other connection attempts. Only connections defined above are
allowed.
$IPTABLES -P INPUT DROP
echo ". done"
This is the only thing I did to secure my system, I went mad from M$ IIS so
wanted to install apache w/o knowing anything from Linux. This went fine
but my system isn't very secure. It's getting better ( I run KDE3.1), but I
still don't know very much. So if there are any suggestions, I appreciate
it very much.
HTH,
Willem-Jan Meijer
Reply to: