[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iptables example for mail/web/opevpn server



Its important to know when the rules are actually put in place during the boot process. This can be controlled via its index in /etc/rc.*. A more interface specific location would /etc/network/{if-down.d,if-post-down.d,if-pre-up.d,if-up.d}. Also note that the openvpn devices can be referenced as tun+ rather than the absolute device name.

--
Cory Oldford
PeaceWorks Computer Consulting
#1 - 396 Assiniboine Ave, Winnipeg
204 480 0314   --or--   519 725 7875, ext 6010.

----- Original Message -----
From: "Arturo Borrero Gonzalez" <cer.inet@linuxmail.org>
To: raven@vp44.net
Cc: debian-firewall@lists.debian.org
Sent: Wednesday, February 15, 2012 12:25:12 PM GMT -06:00 US/Canada Central
Subject: Re: Iptables example for mail/web/opevpn server

2012/2/15 Raven <raven@vp44.net>:
> Hi guys.
> I need some help in designing a simple iptables ruleset for a small
> server I have recently set up.
>
> It's a VPS so the primary interface is venet0 with a public ip. The
> server also runs an openvpn daemon with a 172.16.0.0/24 subnet.
>
> There is obviously no need for NAT or packet forwarding. All outbound
> traffic should be allowed while inbound data is to be accepted only on
> ports 80, 443, 25, 587 and 1194 (tcp,udp).
>
> Could you give me a rough idea of what a firewall script should look
> like?
>
> Thanks
>
> -RV
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/1329318511.7003.7.camel@osmosis.gnet.eu
>

Hi there,

Depending on what kind of complexity you want, you could use a few
iptables lines added at some place like /etc/rc... or somewhere..

like: (this one is valid)

## flush old rules
iptables -F
# rules
iptables -t filter -A INPUT -i venet0 -d your_public_ip \
-p tcp --sport 1024: -m multiport  --dports 80,443,25,587 \
-m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -i venet0 -d your_ip \
-p udp --sport 1024: --dport 1194 \
-m state --state NEW,ESTABLISHED -j ACCEPT
# default policy
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
##

Or use the same schema, but using a rule for each connection, like:
iptables -t filter -A INPUT -i venet0 -d ip \
-p tcp --sport 1024: --dport 80 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -t filter -A INPUT -i venet0 -d ip \
-p tcp --sport 1024: --dport 443 -m state --state NEW,ESTABLISHED
-j ACCEPT
etc.. (using that you will see some usage statistics)

Or you could use a more complex schema, using in detail the 'state'
module or even managing per-package-per-protocol flags

I think if you give me more details about the environment of the
server, I could help you being more explicit.

For example:

· Ipv6 use, or support?
· Complex firewall as a service management?
· How many clients are going to use the server?
· What about the scalability factor? Do you plan to expand the server
in a future?
· Is the server in your house or it's a testing server, so
availability and security could be forgiven in favor of a quick
setting?


regards.

--
/* Arturo Borrero Gonzalez || cer.inet@linuxmail.org */
/* Use debian gnu/linux! Best OS ever! */


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAPfcJasFyE-rsfOgbfYCtSfC-K=WszVorSp-a1A_16cgNdUmSw@mail.gmail.com


Reply to: