Re: Recommended Web Server Ports Open?
On Tue, Aug 16, 2005 at 02:16:40PM -0400, Fred OGrady wrote:
> Is there a recommended Lockdown that will allow the safest use of my
> Debian Sarge box on the Net?
Yes - a default deny iptables-based firewall.
First, if you need a brush-up on networking concepts, read [1].
Either way give [2] a perusal. Here's what you'll do next:
# apt-get install iptables
# $EDITOR /etc/firewall.rules
Paste in the following (adapted from [3]):
*filter
:INPUT ACCEPT [363:465980]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [364:19123]
:block - [0:0]
-A INPUT -j block
-A block -m state --state RELATED,ESTABLISHED -j ACCEPT
-A block -i lo -m state --state NEW -j ACCEPT
-A block -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A block -j DROP
Where 'eth0' is your primary network interface (it might be ppp0 if you
use dial-up); and the 8080 rule is for your web server (which you could
run on another port by adjusting that rule as required).
edit /etc/network/interfaces, and add the following to your primary
interface:
pre-up iptables -F
pre-up iptables-restore < /etc/firewall.rules
(see /usr/share/doc/iptables/README.Debian.gz for rationale)
Next time you up your interface, the firewall rules will first be
cleared and then the ones in /etc/firewall.rules loaded. Either drop and
restore your interface, or do the latter step manually right now:
# iptables-restore < /etc/firewall.rules
Check you have 'em in
# iptables -L
> Security Events
The listed events show failed attempts to access your box. By disabling
external access to ssh, these will not appear.
[1] http://www.netfilter.org/documentation/HOWTO//networking-concepts-HOWTO.html
[2] http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html
[3] http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-5.html
--
Jon Dowland http://jon.dowland.name/
FD35 0B0A C6DD 5D91 DB7A 83D1 168B 4E71 7032 F238
Reply to: