RE: CLOSING a web server!!!!!!
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thats odd...
It was attached to the mail in my sent items, but i will include it
below.
<-----SNIP----->
#!/bin/bash
# Charlie's Firewall Script for dmz server
IPTABLES=/sbin/iptables
# Flush existing chains
$IPTABLES -t filter -F
$IPTABLES -X
# Set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
# Create custom chains
#$IPTABLES -N
# Chains
====================================================================
# allow loopback, it's handy
$IPTABLES -t filter -A INPUT -i lo -j ACCEPT
# Allow new connections to global services
# FTP
$IPTABLES -t filter -A INPUT -s $YOUR_FIXED_IP -p tcp --dport 21
- - -m limit -m state --state NEW -j LOG --log-level notice
- --log-prefix
"|-FW-| New FTP Connection "
$IPTABLES -t filter -A INPUT -s $YOUR_FIXED_IP -p tcp --dport 21
- - -m state --state NEW -j ACCEPT
# SSH
$IPTABLES -t filter -A INPUT -s $YOUR_FIXED_IP -p tcp --dport 22
- - -m state --state NEW -j LOG --log-level notice --log-prefix "|-FW-|
New SSH Connection "
$IPTABLES -t filter -A INPUT -s $YOUR_FIXED_IP-p tcp --dport 22
- - -m state --state NEW -j ACCEPT
# HTTP
$IPTABLES -t filter -A INPUT -p udp --dport 53 -m state --state
NEW -j LOG --log-level notice --log-prefix "|-FW-| New HTTP
Connection "
$IPTABLES -t filter -A INPUT -p udp --dport 53 -m state --state
NEW -j ACCEPT
# HTTP
$IPTABLES -t filter -A INPUT -p tcp --dport 80 -m state --state
NEW -j LOG --log-level notice --log-prefix "|-FW-| New HTTP
Connection "
$IPTABLES -t filter -A INPUT -p tcp --dport 80 -m state --state
NEW -j ACCEPT
# HTTPS
$IPTABLES -t filter -A INPUT -p tcp --dport 443 -m state --state
NEW -j LOG --log-level notice --log-prefix "|-FW-| New HTTP
Connection "
$IPTABLES -t filter -A INPUT -p tcp --dport 443 -m state --state
NEW -j ACCEPT
# POP3
#$IPTABLES -t filter -A INPUT -p tcp --dport 110 -m state --state
NEW -j LOG --log-level notice --log-prefix "|-FW-| New POP3
Connection "
#$IPTABLES -t filter -A INPUT -p tcp --dport 110 -m state --state
NEW -j ACCEPT
# Enable connection tracking
$IPTABLES -t filter -A INPUT -m state --state ESTABLISHED,RELATED
- - -j ACCEPT
$IPTABLES -t filter -A OUTPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
<-----SNIP----->
as I stated before, you may want to add rate limiting to the logging
rules, or comment them out entirely so they don't flood your logs.
regards,
Charlie
============================================
Charles Kidson
System Administrator
IT Department
General Pants Group
Phone 02 9290 0813
Mobile 0428 61 77 66
Fax 02 9299 6485
email charlesk@generalpants.com.au
============================================
- - -----Original Message-----
From: Iñaki Martínez [mailto:debian@euskal-linux.org]
Sent: Saturday, February 08, 2003 1:59 AM
To: charlie
Cc: debian-firewall@lists.debian.org
Subject: Re: CLOSING a web server!!!!!!
HI charlie!!!
> try the attached script...
You forgot the script...... ;-)
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPkbLseKOnQxUO+5DEQJ/uwCggp4mX1L/u4VxIzybeczE90wzM6sAn3WS
0DfYCb3T//VlIJVU61rkAE6i
=qiBD
-----END PGP SIGNATURE-----
Reply to: