Page 1 of 1

iptables rules for web hosting!

Posted: Sun Dec 04, 2011 1:52 pm
by agriz
Hi

Can you give me iptables rules for a web hosting server?
I heard iptables is very important to protect server

I read about iptables. They warn, if wrongly do anything, i will get blocked from ssh.
I don't want to experiment to risk it

Thanks for your help

Re: iptables rules for web hosting!

Posted: Sun Dec 04, 2011 9:24 pm
by Celauran

Code: Select all

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -j DROP
This will allow anything on the loopback interface, any already established connections, and incoming connections on port 22 (SSH) and port 80 (http). Everything else gets dropped.

Re: iptables rules for web hosting!

Posted: Mon Dec 05, 2011 1:28 am
by agriz

Code: Select all

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1234 state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:1234 state ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:1234 state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1234 state NEW,ESTABLISHED
Thanks for the reply.
What does it mean?
Is it bad to have?

1234 is the ssh port

I checked your rules. But the default policy is accept. Is that good to go with accept policy?

Re: iptables rules for web hosting!

Posted: Mon Dec 05, 2011 9:09 am
by Celauran
I don't see a DROP rule in there anywhere, so you're effectively allowing everything.

Re: iptables rules for web hosting!

Posted: Mon Dec 05, 2011 9:16 am
by agriz
Chain INPUT (policy DROP)
Chain FORWARD (policy DROP)
Chain OUTPUT (policy DROP)

I have dropped everything in the beginning.
I have one more problem with my rules.

I am not able to run facebook apps with the rules.

Re: iptables rules for web hosting!

Posted: Mon Dec 05, 2011 9:17 am
by agriz
I ran your rules, When i execute, i got blocked from ssh!
I have asked a technician to restart the server.

Re: iptables rules for web hosting!

Posted: Mon Dec 05, 2011 11:27 am
by Celauran
agriz wrote:I ran your rules, When i execute, i got blocked from ssh!
I have asked a technician to restart the server.
My rules assume SSH is running on the default port. You'll need to change 22 to 1234 since you're running SSH on a non-standard port.

Re: iptables rules for web hosting!

Posted: Mon Dec 05, 2011 11:32 am
by agriz

Code: Select all

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 1234 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -j DROP
I save this as a shell script and executed and i am blocked.
I don't know why.

Right now, I have this.

Code: Select all

# 1. Delete all existing rules
iptables -F

# 2. Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# 3. Allow incoming SSH
iptables -A INPUT -i eth0 -p tcp --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 1234 -m state --state ESTABLISHED -j ACCEPT

#ICMP NEW RULE

iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp --icmp-type echo-request -m state --state ESTABLISHED,RELATED -j ACCEPT

# 4. Allow incoming HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# 5. Allow incoming HTTPS
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# 7. Allow FTP PORT 
iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

# 8. Allow outgoing SSH // Not required
iptables -A OUTPUT -o eth0 -p tcp --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1234 -m state --state ESTABLISHED -j ACCEPT
But I am not able to use the following
curl, yum, wget, ping

Thanks for helping me on this.

Re: iptables rules for web hosting!

Posted: Mon Dec 05, 2011 11:36 am
by Celauran
Is this your machine? Are you sure eth0 is the right device? Try removing the -i eth0 bit and see if that changes anything?

Re: iptables rules for web hosting!

Posted: Mon Dec 05, 2011 11:40 am
by agriz
It is not my machine. But i am paying rent to a company. It is dedicated server
Yes, eth0 is the name.

I will try replacing it.

Re: iptables rules for web hosting!

Posted: Mon Dec 05, 2011 11:45 am
by agriz
Same. I am using CentOS 6. Is it same for all version of linux?

Re: iptables rules for web hosting!

Posted: Mon Dec 05, 2011 12:08 pm
by agriz
iptables -P OUTPUT ACCEPT

If i make the changes, then it works. Does it give any idea?