iptables rules for web hosting!
Moderator: General Moderators
iptables rules for web hosting!
Hi
Can you give me iptables rules for a web hosting server?
I heard iptables is very important to protect server
I read about iptables. They warn, if wrongly do anything, i will get blocked from ssh.
I don't want to experiment to risk it
Thanks for your help
Can you give me iptables rules for a web hosting server?
I heard iptables is very important to protect server
I read about iptables. They warn, if wrongly do anything, i will get blocked from ssh.
I don't want to experiment to risk it
Thanks for your help
Re: iptables rules for web hosting!
Code: Select all
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -j DROPRe: iptables rules for web hosting!
Code: Select all
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:1234 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:1234 state ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:1234 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:1234 state NEW,ESTABLISHED
What does it mean?
Is it bad to have?
1234 is the ssh port
I checked your rules. But the default policy is accept. Is that good to go with accept policy?
Re: iptables rules for web hosting!
I don't see a DROP rule in there anywhere, so you're effectively allowing everything.
Re: iptables rules for web hosting!
Chain INPUT (policy DROP)
Chain FORWARD (policy DROP)
Chain OUTPUT (policy DROP)
I have dropped everything in the beginning.
I have one more problem with my rules.
I am not able to run facebook apps with the rules.
Chain FORWARD (policy DROP)
Chain OUTPUT (policy DROP)
I have dropped everything in the beginning.
I have one more problem with my rules.
I am not able to run facebook apps with the rules.
Re: iptables rules for web hosting!
I ran your rules, When i execute, i got blocked from ssh!
I have asked a technician to restart the server.
I have asked a technician to restart the server.
Re: iptables rules for web hosting!
My rules assume SSH is running on the default port. You'll need to change 22 to 1234 since you're running SSH on a non-standard port.agriz wrote:I ran your rules, When i execute, i got blocked from ssh!
I have asked a technician to restart the server.
Re: iptables rules for web hosting!
Code: Select all
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 1234 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -j DROPI don't know why.
Right now, I have this.
Code: Select all
# 1. Delete all existing rules
iptables -F
# 2. Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# 3. Allow incoming SSH
iptables -A INPUT -i eth0 -p tcp --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 1234 -m state --state ESTABLISHED -j ACCEPT
#ICMP NEW RULE
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp --icmp-type echo-request -m state --state ESTABLISHED,RELATED -j ACCEPT
# 4. Allow incoming HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# 5. Allow incoming HTTPS
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
# 7. Allow FTP PORT
iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
# 8. Allow outgoing SSH // Not required
iptables -A OUTPUT -o eth0 -p tcp --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1234 -m state --state ESTABLISHED -j ACCEPTcurl, yum, wget, ping
Thanks for helping me on this.
Re: iptables rules for web hosting!
Is this your machine? Are you sure eth0 is the right device? Try removing the -i eth0 bit and see if that changes anything?
Re: iptables rules for web hosting!
It is not my machine. But i am paying rent to a company. It is dedicated server
Yes, eth0 is the name.
I will try replacing it.
Yes, eth0 is the name.
I will try replacing it.
Re: iptables rules for web hosting!
Same. I am using CentOS 6. Is it same for all version of linux?
Re: iptables rules for web hosting!
iptables -P OUTPUT ACCEPT
If i make the changes, then it works. Does it give any idea?
If i make the changes, then it works. Does it give any idea?