Re: CLOSING a web server!!!!!!

To: Matthew Palmer <mjp16@ieee.uow.edu.au>
Cc: Debian Firewall <debian-firewall@lists.debian.org>
Subject: Re: CLOSING a web server!!!!!!
From: Iñaki Martínez <debian@euskal-linux.org>
Date: Fri, 7 Feb 2003 16:11:18 +0100
Message-id: <20030207151118.GE3200@mx.euskal-linux.org>
In-reply-to: <Pine.LNX.4.10.10301311501010.24139-100000@magnetron.ieee.uow.edu.au>
References: <20030130151732.GB26845@mx.euskal-linux.org> <Pine.LNX.4.10.10301311501010.24139-100000@magnetron.ieee.uow.edu.au>

Kaixo Matthew Palmer!!!

> >   21 -> only from my fix IP
> 
> Use scp.  FTP requires some very b0rken firewalling.

 OK...... and about SFTP?????

 Some of the webmaster are using windows FTP clients, so i need FTP or SFTP.

  
> >   22 -> only from my fix IP
> 
> IPT="/sbin/iptables"
> 
> $IPT -P INPUT DROP
> 
> $IPT -A INPUT -t tcp --dport 22 -s $fix_IP -d $local_IP -j ACCEPT
> 
> >   53 -> any IP (only for my domains = BIND config)
> 
> What do you mean, only for your domains?  Only allow people from your
> domains to query you?  Then why "any IP"?  Your firewall can't stop people
> from asking you about www.google.com...

 What i mean is:

 global -> allow-query = only my IPs
 per domain -> allow-query any

 
> >   80 -> any IP obiously
> 
> $IPT -A INPUT -t tcp --dport 80 -d $local_IP -j ACCEPT
> 
> >  443 -> same as 80
> 
> Precisely.

 OK.......

 
> >  What are the BETTER and MORE SECURE iptables rules for this server????
> 
> Those above work for me.

 OK, but what about  "-m state --state NEW" or similar????


 thanks.....

Reply to:

Follow-Ups:
- Re: CLOSING a web server!!!!!!
  - From: Matthew Palmer <mjp16@ieee.uow.edu.au>

Prev by Date: Re: CLOSING a web server!!!!!!
Next by Date: Re: CLOSING a web server!!!!!!
Previous by thread: Re: CLOSING a web server!!!!!!
Next by thread: Re: CLOSING a web server!!!!!!
Index(es):
- Date
- Thread