Re: secured server policies
Alexandr Shurigin wrote:
> hello huys
>
> I have trouble. i readed and readed and think better i ask professionals :)
>
> I have server which must have shared only 80 and 22 ports. all other
> ports i want to close by iptables.
>
> Which rules i must use ?
>
> Thanks. have a good day :)
>
> --
> С уважением, Александр Шурыгин
> icq 254106594
> email: ya@phpdude.ru <mailto:ya@phpdude.ru>
> phone: +7 902 265 81 66
Hello
There are some ways to do that and it depends of many things. For example:
# Deny all
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#Allowing incoming http traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#Allowing outgoing established and related http traffic
iptables -A OUTPUT -p tcp --sport 80 -m state --state
ESTABLISHED,RELATED -j ACCEPT
#Allowing incoming ssh traffic
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#Allowing outgoing established and related ssh traffic
iptables -A OUTPUT -p tcp --sport 22 -m state --state
ESTABLISHED,RELATED -j ACCEPT
#If you want to update your server from the Internet you should allow
#dns communication and outgoing http traffic
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED
-j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED,RELATED
-j ACCEPT
You could use the multiport module and here it is another example:
iptables -A INPUT -p tcp -m multiport --dports 22,80 -m state --state
NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 22,80 -m state --state
ESTABLISHED,RELATED -j ACCEPT
There are many possibilities and a think you should read this material,
it is very good:
http://www.sns.ias.edu/~jns/files/iptables_ruleset
http://linuxgazette.net/108/odonovan.html
If you have any questions, please, put it here.
Bye.
Daniel.
Reply to: