[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: CLOSING a web server!!!!!!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thats odd...

It was attached to the mail in my sent items, but i will include it
below.

<-----SNIP----->
#!/bin/bash
# Charlie's Firewall Script for dmz server

    IPTABLES=/sbin/iptables

# Flush existing chains
    $IPTABLES -t filter -F
    $IPTABLES -X

# Set default policies
    $IPTABLES -P INPUT DROP
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P OUTPUT ACCEPT

# Create custom chains
    #$IPTABLES -N

# Chains
====================================================================

    # allow loopback, it's handy
    $IPTABLES -t filter -A INPUT -i lo -j ACCEPT

# Allow new connections to global services

    # FTP
    $IPTABLES -t filter -A INPUT -s $YOUR_FIXED_IP -p tcp --dport 21
- - -m limit -m state --state NEW -j LOG --log-level notice
- --log-prefix
"|-FW-| New FTP Connection "
    $IPTABLES -t filter -A INPUT -s $YOUR_FIXED_IP -p tcp --dport 21
- - -m state --state NEW -j ACCEPT

    # SSH
    $IPTABLES -t filter -A INPUT -s $YOUR_FIXED_IP -p tcp --dport 22
- - -m state --state NEW -j LOG --log-level notice --log-prefix "|-FW-|
New SSH Connection "
    $IPTABLES -t filter -A INPUT -s $YOUR_FIXED_IP-p tcp --dport 22
- - -m state --state NEW -j ACCEPT

     # HTTP
    $IPTABLES -t filter -A INPUT -p udp --dport 53 -m state --state
NEW -j LOG --log-level notice --log-prefix "|-FW-| New HTTP
Connection "
    $IPTABLES -t filter -A INPUT -p udp --dport 53 -m state --state
NEW -j ACCEPT



    # HTTP
    $IPTABLES -t filter -A INPUT -p tcp --dport 80 -m state --state
NEW -j LOG --log-level notice --log-prefix "|-FW-| New HTTP
Connection "
    $IPTABLES -t filter -A INPUT -p tcp --dport 80 -m state --state
NEW -j ACCEPT

    # HTTPS
    $IPTABLES -t filter -A INPUT -p tcp --dport 443 -m state --state
NEW -j LOG --log-level notice --log-prefix "|-FW-| New HTTP
Connection "
    $IPTABLES -t filter -A INPUT -p tcp --dport 443 -m state --state
NEW -j ACCEPT


    # POP3
    #$IPTABLES -t filter -A INPUT -p tcp --dport 110 -m state --state
NEW -j LOG --log-level notice --log-prefix "|-FW-| New POP3
Connection "
    #$IPTABLES -t filter -A INPUT -p tcp --dport 110 -m state --state
NEW -j ACCEPT


# Enable connection tracking
    $IPTABLES -t filter -A INPUT -m state --state ESTABLISHED,RELATED
- - -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT


<-----SNIP----->

as I stated before, you may want to add rate limiting to the logging
rules, or comment them out entirely so they don't flood your logs.

regards,

Charlie


============================================
Charles Kidson
System Administrator
IT Department
General Pants Group

Phone 02 9290 0813
Mobile 0428 61 77 66
Fax 02 9299 6485
email charlesk@generalpants.com.au
============================================

- - -----Original Message-----
From: Iñaki Martínez [mailto:debian@euskal-linux.org]
Sent: Saturday, February 08, 2003 1:59 AM
To: charlie
Cc: debian-firewall@lists.debian.org
Subject: Re: CLOSING a web server!!!!!!


HI charlie!!!

> try the attached script...

 You forgot the script...... ;-)



-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPkbLseKOnQxUO+5DEQJ/uwCggp4mX1L/u4VxIzybeczE90wzM6sAn3WS
0DfYCb3T//VlIJVU61rkAE6i
=qiBD
-----END PGP SIGNATURE-----
Reply to: