Iptables is a default firewall available in all linux flavors, and widely used to secure servers. If you are running kloxo, and want to use iptables to secure your box, then here are the basic rules which you can add in your iptables.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 |
# Clear rules iptables -t filter -F iptables -t filter -X echo - Clear rules : [OK] # SSH In iptables -t filter -A INPUT -p tcp --dport 223 -j ACCEPT echo - SSH : [OK] # Don't break established connections iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT echo - established connections : [OK] # Block all connections by default iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP echo - Block all connections : [OK] # Loopback iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT echo - Loopback : [OK] # ICMP (Ping) iptables -t filter -A INPUT -p icmp -j ACCEPT iptables -t filter -A OUTPUT -p icmp -j ACCEPT echo - PING : [OK] # DNS In/Out iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT echo - DNS : [OK] # NTP Out iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT echo - NTP : [OK] # FTP Out iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT # FTP In iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 30000:50000 -j ACCEPT iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT echo - FTP : [OK] # HTTP + HTTPS Out iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT # HTTP + HTTPS In iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT echo - HTTP/HTTPS : [OK] # Mail SMTP:25 iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT echo - SMTP : [OK] # Mail POP3:110 iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT echo - POP : [OK] # Mail IMAP:143 iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT echo - IMAP : [OK] # Kloxo iptables -t filter -A INPUT -p tcp --dport 7777:7778 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 7777:7778 -j ACCEPT echo - Kloxo : [OK] echo - Firewall : [OK] #save iptables service iptables save echo - Firewall Saved : [OK] #restart firewall service iptables restart echo - Firewall restarted : [OK] |
You can simply download this from here, and then run
|
1 2 3 4 |
[root@mailserver1 ~]# wget http://www.techat.net/wp-content/myuploads/2010/12/fw.txt [root@mailserver1 ~]# mv fw.txt fw [root@mailserver1 ~]# chmod 755 fw [root@mailserver1 ~]# ./fw |
If you have read my article on protection from SYN flooding DoS attack, then you can include those rules in iptables as well.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# SYN flodding protecting rules # create new chains iptables -N syn-flood # limits incoming packets iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN # log attacks iptables -A syn-flood -j LOG --log-prefix "SYN flood: " # silently drop the rest iptables -A syn-flood -j DROP echo - SYN flooding protection : [OK] |
You can download firewall file including those rules from here.
|
1 2 3 4 |
[root@mailserver1 ~]# wget http://www.techat.net/wp-content/myuploads/2010/12/fw-syn-flooding-protection-included.txt [root@mailserver1 ~]# mv fw.txt fw [root@mailserver1 ~]# chmod 755 fw [root@mailserver1 ~]# ./fw |
If you are running slave server then add following to master
|
1 2 |
iptables -t filter -A INPUT -p tcp -s SLAVE_IP --dport 7779 -j ACCEPT iptables -t filter -A OUTPUT -p tcp -d SLAVE_IP --dport 7779 -j ACCEPT |
and this to slave
|
1 2 |
iptables -t filter -A INPUT -p tcp -s MASTER_IP --dport 7779 -j ACCEPT iptables -t filter -A OUTPUT -p tcp -d MASTER_IP --dport 7779 -j ACCEPT |
NOTE: Replace SLAVE_IP with your Slave server IP and replace MASTER_IP with your Master server IP.
Please follow and like us:
About shk
Thank you this is a very useful article for securing CentOS VPSes.
One question – how do we get this script to run automatically in the event the VPS is reboot?
What is the solution when schedular backup upload to remote server blocked by firewall. after disabling firewall backup to remote server works perfectly.
Regards
find out which port your backup software use, and open it in firewall.