Re: Iptables example for mail/web/opevpn server

To: raven@vp44.net
Cc: debian-firewall@lists.debian.org
Subject: Re: Iptables example for mail/web/opevpn server
From: Arturo Borrero Gonzalez <cer.inet@linuxmail.org>
Date: Wed, 15 Feb 2012 19:25:12 +0100
Message-id: <[🔎] CAPfcJasFyE-rsfOgbfYCtSfC-K=WszVorSp-a1A_16cgNdUmSw@mail.gmail.com>
In-reply-to: <[🔎] 1329318511.7003.7.camel@osmosis.gnet.eu>
References: <[🔎] 1329318511.7003.7.camel@osmosis.gnet.eu>

2012/2/15 Raven <raven@vp44.net>:
> Hi guys.
> I need some help in designing a simple iptables ruleset for a small
> server I have recently set up.
>
> It's a VPS so the primary interface is venet0 with a public ip. The
> server also runs an openvpn daemon with a 172.16.0.0/24 subnet.
>
> There is obviously no need for NAT or packet forwarding. All outbound
> traffic should be allowed while inbound data is to be accepted only on
> ports 80, 443, 25, 587 and 1194 (tcp,udp).
>
> Could you give me a rough idea of what a firewall script should look
> like?
>
> Thanks
>
> -RV
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 1329318511.7003.7.camel@osmosis.gnet.eu">http://lists.debian.org/[🔎] 1329318511.7003.7.camel@osmosis.gnet.eu
>

Hi there,

Depending on what kind of complexity you want, you could use a few
iptables lines added at some place like /etc/rc... or somewhere..

like: (this one is valid)

## flush old rules
iptables -F
# rules
iptables -t filter -A INPUT -i venet0 -d your_public_ip \
-p tcp --sport 1024: -m multiport  --dports 80,443,25,587 \
-m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -i venet0 -d your_ip \
-p udp --sport 1024: --dport 1194 \
-m state --state NEW,ESTABLISHED -j ACCEPT
# default policy
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
##

Or use the same schema, but using a rule for each connection, like:
iptables -t filter -A INPUT -i venet0 -d ip \
-p tcp --sport 1024: --dport 80 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -t filter -A INPUT -i venet0 -d ip \
-p tcp --sport 1024: --dport 443 -m state --state NEW,ESTABLISHED
-j ACCEPT
etc.. (using that you will see some usage statistics)

Or you could use a more complex schema, using in detail the 'state'
module or even managing per-package-per-protocol flags

I think if you give me more details about the environment of the
server, I could help you being more explicit.

For example:

· Ipv6 use, or support?
· Complex firewall as a service management?
· How many clients are going to use the server?
· What about the scalability factor? Do you plan to expand the server
in a future?
· Is the server in your house or it's a testing server, so
availability and security could be forgiven in favor of a quick
setting?


regards.

-- 
/* Arturo Borrero Gonzalez || cer.inet@linuxmail.org */
/* Use debian gnu/linux! Best OS ever! */

Reply to:

Follow-Ups:
- Re: Iptables example for mail/web/opevpn server
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
- Re: Iptables example for mail/web/opevpn server
  - From: Stephan Balmer <sb@cis.ch>
- Re: Iptables example for mail/web/opevpn server
  - From: Raven <raven@vp44.net>

References:
- Iptables example for mail/web/opevpn server
  - From: Raven <raven@vp44.net>

Prev by Date: Iptables example for mail/web/opevpn server
Next by Date: Re: Iptables example for mail/web/opevpn server
Previous by thread: Iptables example for mail/web/opevpn server
Next by thread: Re: Iptables example for mail/web/opevpn server
Index(es):
- Date
- Thread