Page 1 of 1
iptables rules for web hosting!
Posted: Sun Dec 04, 2011 1:52 pm
by agriz
Hi
Can you give me iptables rules for a web hosting server?
I heard iptables is very important to protect server
I read about iptables. They warn, if wrongly do anything, i will get blocked from ssh.
I don't want to experiment to risk it
Thanks for your help
Re: iptables rules for web hosting!
Posted: Sun Dec 04, 2011 9:24 pm
by Celauran
Code: Select all
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -j DROP
This will allow anything on the loopback interface, any already established connections, and incoming connections on port 22 (SSH) and port 80 (http). Everything else gets dropped.
Re: iptables rules for web hosting!
Posted: Mon Dec 05, 2011 1:28 am
by agriz
Code: Select all
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:1234 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:1234 state ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:1234 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:1234 state NEW,ESTABLISHED
Thanks for the reply.
What does it mean?
Is it bad to have?
1234 is the ssh port
I checked your rules. But the default policy is accept. Is that good to go with accept policy?
Re: iptables rules for web hosting!
Posted: Mon Dec 05, 2011 9:09 am
by Celauran
I don't see a DROP rule in there anywhere, so you're effectively allowing everything.
Re: iptables rules for web hosting!
Posted: Mon Dec 05, 2011 9:16 am
by agriz
Chain INPUT (policy DROP)
Chain FORWARD (policy DROP)
Chain OUTPUT (policy DROP)
I have dropped everything in the beginning.
I have one more problem with my rules.
I am not able to run facebook apps with the rules.
Re: iptables rules for web hosting!
Posted: Mon Dec 05, 2011 9:17 am
by agriz
I ran your rules, When i execute, i got blocked from ssh!
I have asked a technician to restart the server.
Re: iptables rules for web hosting!
Posted: Mon Dec 05, 2011 11:27 am
by Celauran
agriz wrote:I ran your rules, When i execute, i got blocked from ssh!
I have asked a technician to restart the server.
My rules assume SSH is running on the default port. You'll need to change 22 to 1234 since you're running SSH on a non-standard port.
Re: iptables rules for web hosting!
Posted: Mon Dec 05, 2011 11:32 am
by agriz
Code: Select all
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 1234 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -j DROP
I save this as a shell script and executed and i am blocked.
I don't know why.
Right now, I have this.
Code: Select all
# 1. Delete all existing rules
iptables -F
# 2. Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# 3. Allow incoming SSH
iptables -A INPUT -i eth0 -p tcp --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 1234 -m state --state ESTABLISHED -j ACCEPT
#ICMP NEW RULE
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp --icmp-type echo-request -m state --state ESTABLISHED,RELATED -j ACCEPT
# 4. Allow incoming HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# 5. Allow incoming HTTPS
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
# 7. Allow FTP PORT
iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
# 8. Allow outgoing SSH // Not required
iptables -A OUTPUT -o eth0 -p tcp --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1234 -m state --state ESTABLISHED -j ACCEPT
But I am not able to use the following
curl, yum, wget, ping
Thanks for helping me on this.
Re: iptables rules for web hosting!
Posted: Mon Dec 05, 2011 11:36 am
by Celauran
Is this your machine? Are you sure eth0 is the right device? Try removing the -i eth0 bit and see if that changes anything?
Re: iptables rules for web hosting!
Posted: Mon Dec 05, 2011 11:40 am
by agriz
It is not my machine. But i am paying rent to a company. It is dedicated server
Yes, eth0 is the name.
I will try replacing it.
Re: iptables rules for web hosting!
Posted: Mon Dec 05, 2011 11:45 am
by agriz
Same. I am using CentOS 6. Is it same for all version of linux?
Re: iptables rules for web hosting!
Posted: Mon Dec 05, 2011 12:08 pm
by agriz
iptables -P OUTPUT ACCEPT
If i make the changes, then it works. Does it give any idea?