Re: newbie firewall recommendation
What I did first was to drop all defaults installed:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
Then I edited to allow ports I want open:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
I followed the same guideline for OUTPUT, so my tables look something
like:
iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
I guess the question now is this sufficient security? I'm only running 3
applications on the server exim, squirrelmail and appache (basically a web
and mail server). nmapping my IP shows:
(The 1542 ports scanned but not shown below are in state: closed)
Port State Service
9/tcp open discard
13/tcp open daytime
22/tcp open ssh
25/tcp open smtp
37/tcp open time
80/tcp open http
111/tcp open sunrpc
113/tcp open auth
143/tcp open imap2
220/tcp open imap3
515/tcp open printer
1024/tcp open kdm
Which of these should worry about (if any)?
On Wed, 4 Jun 2003, Bernd Eckenfels wrote:
> On Tue, Jun 03, 2003 at 10:37:38PM -0700, Richard Cochinos wrote:
> > This is a very simple server - X hasn't been installed - so any GUI
> > interfaces wont help me. Ideally I want only to open 4 ports 22,25,80 and
> > 443.
>
> Well, you can use "netstat -lpetu" (as root) to see the open ports on the
> system. If ssh, smtp and web are the only open ports, there is actually no
> need for a firewall.
>
> If you want to be sure, nobody can expose additional ports of the system,
> you can use a simple ipchains script with 4+1 accept rules and deny
> everything else. No need for a firewall builder package or anything else to
> protect a host which is no router.
>
> Greetings
> Bernd
> --
> (OO) -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
> ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
> o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
> (O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
-richard
Reply to: