iptables rules for web hosting!

Whether you are using Linux on the desktop or as a server, it's still good that you're using Linux. Linux related questions go here.

Moderator: General Moderators

Post Reply
agriz
Forum Contributor
Posts: 106
Joined: Sun Nov 23, 2008 9:29 pm

iptables rules for web hosting!

Post by agriz »

Hi

Can you give me iptables rules for a web hosting server?
I heard iptables is very important to protect server

I read about iptables. They warn, if wrongly do anything, i will get blocked from ssh.
I don't want to experiment to risk it

Thanks for your help
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: iptables rules for web hosting!

Post by Celauran »

Code: Select all

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -j DROP
This will allow anything on the loopback interface, any already established connections, and incoming connections on port 22 (SSH) and port 80 (http). Everything else gets dropped.
agriz
Forum Contributor
Posts: 106
Joined: Sun Nov 23, 2008 9:29 pm

Re: iptables rules for web hosting!

Post by agriz »

Code: Select all

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1234 state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:1234 state ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:1234 state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1234 state NEW,ESTABLISHED
Thanks for the reply.
What does it mean?
Is it bad to have?

1234 is the ssh port

I checked your rules. But the default policy is accept. Is that good to go with accept policy?
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: iptables rules for web hosting!

Post by Celauran »

I don't see a DROP rule in there anywhere, so you're effectively allowing everything.
agriz
Forum Contributor
Posts: 106
Joined: Sun Nov 23, 2008 9:29 pm

Re: iptables rules for web hosting!

Post by agriz »

Chain INPUT (policy DROP)
Chain FORWARD (policy DROP)
Chain OUTPUT (policy DROP)

I have dropped everything in the beginning.
I have one more problem with my rules.

I am not able to run facebook apps with the rules.
agriz
Forum Contributor
Posts: 106
Joined: Sun Nov 23, 2008 9:29 pm

Re: iptables rules for web hosting!

Post by agriz »

I ran your rules, When i execute, i got blocked from ssh!
I have asked a technician to restart the server.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: iptables rules for web hosting!

Post by Celauran »

agriz wrote:I ran your rules, When i execute, i got blocked from ssh!
I have asked a technician to restart the server.
My rules assume SSH is running on the default port. You'll need to change 22 to 1234 since you're running SSH on a non-standard port.
agriz
Forum Contributor
Posts: 106
Joined: Sun Nov 23, 2008 9:29 pm

Re: iptables rules for web hosting!

Post by agriz »

Code: Select all

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 1234 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -j DROP
I save this as a shell script and executed and i am blocked.
I don't know why.

Right now, I have this.

Code: Select all

# 1. Delete all existing rules
iptables -F

# 2. Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# 3. Allow incoming SSH
iptables -A INPUT -i eth0 -p tcp --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 1234 -m state --state ESTABLISHED -j ACCEPT

#ICMP NEW RULE

iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp --icmp-type echo-request -m state --state ESTABLISHED,RELATED -j ACCEPT

# 4. Allow incoming HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# 5. Allow incoming HTTPS
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# 7. Allow FTP PORT 
iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

# 8. Allow outgoing SSH // Not required
iptables -A OUTPUT -o eth0 -p tcp --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1234 -m state --state ESTABLISHED -j ACCEPT
But I am not able to use the following
curl, yum, wget, ping

Thanks for helping me on this.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: iptables rules for web hosting!

Post by Celauran »

Is this your machine? Are you sure eth0 is the right device? Try removing the -i eth0 bit and see if that changes anything?
agriz
Forum Contributor
Posts: 106
Joined: Sun Nov 23, 2008 9:29 pm

Re: iptables rules for web hosting!

Post by agriz »

It is not my machine. But i am paying rent to a company. It is dedicated server
Yes, eth0 is the name.

I will try replacing it.
agriz
Forum Contributor
Posts: 106
Joined: Sun Nov 23, 2008 9:29 pm

Re: iptables rules for web hosting!

Post by agriz »

Same. I am using CentOS 6. Is it same for all version of linux?
agriz
Forum Contributor
Posts: 106
Joined: Sun Nov 23, 2008 9:29 pm

Re: iptables rules for web hosting!

Post by agriz »

iptables -P OUTPUT ACCEPT

If i make the changes, then it works. Does it give any idea?
Post Reply