Hi, I am about to change my SSH port. I have the commands prepared as listed below as extracted from this link.
. However in place of the manually entered firewall command I was thinking I would run the script shown in quotes to flush the iptables and reset everything (but with the new SSH port being used). The command in the script is slightly different. Am I correct in assuming that because I am flushing the iptables with my script I should be okay? I am tempted to just go for it but the lockout thing is haunting me I guess. Maybe someone can scare away the ghosts
Change from "#Port 22" to "Port 2222" (port for windows servers but not for Linux servers)
NOTE: this would be replaced with the command in the script below but using port 2222
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT (<<<<<<<<<<<<<<<<<<<<<<<<<<<Manually entered command)
netstat -tulpn | grep sshd (Verify the new port settings. You should see 2222)
# MyFireWall script - chmod +X MyFireWall - ./MyFireWall
# Basic Website Criteria:
# PHP, MySql, Apache driven web pages with file down load and upload.
# FTP is turned off and everything is working fine
# Putty and WinSCP is used.
# No incoming mail. Only outgoing mail with Postfix
# Created with http://wiki.centos.org/HowTos/Network/IPTables
NOTE: you used this one to rough in this script and it explains running this. Comments were coppied to the 2nd last command below.
# Created with http://articles.slicehost.com/assets/20 ... tables.txt
NOTE: this one had some more commands you might have used
# created with https://help.ubuntu.com/community/IptablesHowTo
NOTE: this explains a little more of what is in this script
# created with http://blog.adityapatawari.com/2011/12/ ... ained.html
NOTE: this explains some basic commands
# NOTES: when you close port 25 you are blocking incoming mail to your VPS. All your outgoing ports are open so you can send email (ports 465 and 587).
# http://serverfault.com/questions/149903 ... ail-server
# You are keeping a backup of this script in C:\Access\GuitarPracticeRecords\Jamming\Installing_On_Each_WebHost\LinuxScripts\Velcom
#If connecting remotely we must first temporarily set the default policy on the INPUT chain to ACCEPT otherwise once we flush the current rules we will be locked out of our server.
iptables -P INPUT ACCEPT
# Flush all current rules from iptables - We used the -F switch to flush all existing rules so we start with a clean state from which to add new rules.
# Set access for localhost
# use the -i switch (for interface) to specify packets matching or destined for the lo (localhost, 127.0.0.1) interface and finally
# So this rule will allow all incoming packets destined for the localhost interface to be accepted.
# This is generally required as many software applications expect to be able to communicate with the localhost adaptor.
# Link https://help.ubuntu.com/community/IptablesHowTo
is the link that suggested putting this in.
# Allows all loopback (lo0) traffic
iptables -A INPUT -i lo -j ACCEPT
# Accept packets belonging to established and related connections
# we are adding (-A) it to the INPUT chain.
# Here we're using the -m switch to load a module (state).
# The state module is able to examine the state of a packet and determine if it is NEW, ESTABLISHED or RELATED.
# NEW refers to incoming packets that are new incoming connections that weren't initiated by the host system.
# ESTABLISHED and RELATED refers to incoming packets that are part of an already established connection or related to and already established connection.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Here we add a rule allowing SSH connections over tcp port 22. - By default SSH uses port 22 and again uses the tcp protocol.
# So if we want to allow remote logins, we would need to allow tcp connections on port 22 Putty
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Allow ping
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
# iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Set default policies for INPUT, FORWARD and OUTPUT chains
# The -P switch sets the default policy on the specified chain.
# So now we can set the default policy on the INPUT chain to DROP.
# This means that if an incoming packet does not match one of the following rules it will be dropped.
# If we were connecting remotely via SSH and had not added the rule above, we would have just locked ourself out of the system at this point.
iptables -P INPUT DROP
# set the default policy on the FORWARD chain to DROP as we're not using our computer as a router so there should not be any packets passing through our computer.
iptables -P FORWARD DROP
# Set the default policy on the OUTPUT chain to ACCEPT as we want to allow all outgoing traffic (as we trust our users).
iptables -P OUTPUT ACCEPT
# Save settings - the last thing we need to do is save our rules so that next time we reboot our computer our rules are automatically reloaded:
# This executes the iptables init script, which runs /sbin/iptables-save and writes the current iptables configuration to /etc/sysconfig/iptables.
# Upon reboot, the iptables init script reapplies the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command.
/sbin/service iptables save
# List rules - we can list (-L) the rules we've just added to check they've been loaded correctly. -v means verbose
iptables -L -v