Re: Recommended Web Server Ports Open?

[Jon Dowland <lists@alcopop.org>]

On Tue, Aug 16, 2005 at 02:16:40PM -0400, Fred OGrady wrote:
>  Is there a recommended Lockdown that will allow the safest use of my
>  Debian Sarge box on the Net?

Yes - a default deny iptables-based firewall.

First, if you need a brush-up on networking concepts, read [1].

Either way give [2] a perusal. Here's what you'll do next:

# apt-get install iptables
# $EDITOR /etc/firewall.rules

Paste in the following (adapted from [3]):

*filter
:INPUT ACCEPT [363:465980]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [364:19123]
:block - [0:0]
-A INPUT -j block
-A block -m state --state RELATED,ESTABLISHED -j ACCEPT
-A block -i lo -m state --state NEW -j ACCEPT
-A block -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A block -j DROP

Where 'eth0' is your primary network interface (it might be ppp0 if you
use dial-up); and the 8080 rule is for your web server (which you could
run on another port by adjusting that rule as required).

edit /etc/network/interfaces, and add the following to your primary
interface:

pre-up iptables -F 
pre-up iptables-restore < /etc/firewall.rules

(see /usr/share/doc/iptables/README.Debian.gz for rationale)

Next time you up your interface, the firewall rules will first be
cleared and then the ones in /etc/firewall.rules loaded. Either drop and
restore your interface, or do the latter step manually right now:

# iptables-restore < /etc/firewall.rules

Check you have 'em in

# iptables -L

> Security Events

The listed events show failed attempts to access your box. By disabling
external access to ssh, these will not appear.

[1] http://www.netfilter.org/documentation/HOWTO//networking-concepts-HOWTO.html
[2] http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html
[3] http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-5.html

-- 
Jon Dowland               http://jon.dowland.name/
FD35 0B0A C6DD 5D91 DB7A  83D1 168B 4E71 7032 F238