[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iptables example for mail/web/opevpn server

2012/2/15 Raven <raven@vp44.net>:
> Hi guys.
> I need some help in designing a simple iptables ruleset for a small
> server I have recently set up.
> It's a VPS so the primary interface is venet0 with a public ip. The
> server also runs an openvpn daemon with a subnet.
> There is obviously no need for NAT or packet forwarding. All outbound
> traffic should be allowed while inbound data is to be accepted only on
> ports 80, 443, 25, 587 and 1194 (tcp,udp).
> Could you give me a rough idea of what a firewall script should look
> like?
> Thanks
> -RV
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: 1329318511.7003.7.camel@osmosis.gnet.eu">http://lists.debian.org/1329318511.7003.7.camel@osmosis.gnet.eu

Hi there,

Depending on what kind of complexity you want, you could use a few
iptables lines added at some place like /etc/rc... or somewhere..

like: (this one is valid)

## flush old rules
iptables -F
# rules
iptables -t filter -A INPUT -i venet0 -d your_public_ip \
-p tcp --sport 1024: -m multiport  --dports 80,443,25,587 \
-m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -i venet0 -d your_ip \
-p udp --sport 1024: --dport 1194 \
-m state --state NEW,ESTABLISHED -j ACCEPT
# default policy
iptables -P INPUT DROP

Or use the same schema, but using a rule for each connection, like:
iptables -t filter -A INPUT -i venet0 -d ip \
-p tcp --sport 1024: --dport 80 -m state --state NEW,ESTABLISHED
iptables -t filter -A INPUT -i venet0 -d ip \
-p tcp --sport 1024: --dport 443 -m state --state NEW,ESTABLISHED
etc.. (using that you will see some usage statistics)

Or you could use a more complex schema, using in detail the 'state'
module or even managing per-package-per-protocol flags

I think if you give me more details about the environment of the
server, I could help you being more explicit.

For example:

· Ipv6 use, or support?
· Complex firewall as a service management?
· How many clients are going to use the server?
· What about the scalability factor? Do you plan to expand the server
in a future?
· Is the server in your house or it's a testing server, so
availability and security could be forgiven in favor of a quick


/* Arturo Borrero Gonzalez || cer.inet@linuxmail.org */
/* Use debian gnu/linux! Best OS ever! */

Reply to: