[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPTABLES script revisited



anyone here able to help me with an iptables script I'm trying to write for the web hosting servers? the basic idea is:

1. block all inbounc traffic that isn't a web server, ssh, or otherwise required
2. block ALL outbound traffic I don't already expect (mysql, oracle, radmind, cosign)


the one thing I haven't figured out yet is which of the UDP ports I have to open for AFS (I know I need 7001, don't know about 7000 or 7002 - 7010).

I also haven't done anything to log, block known bad packets, prevent spoofing, etc.

so far I have:

# Clear all Tables
-F
-X
-Z

# don't do anything I haven't told you to do
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP

# Loopback setup
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

# Inbound connections
-A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
-A INPUT -p tcp -dport 80 -state --state NEW -j ACCEPT
-A INPUT -p tcp -dport 443 -state --state NEW -j ACCEPT

# allow admin hosts to ssh
-A INPUT -p tcp -s 141.211.14.5 -dport 22 -m state --state NEW -j ACCEPT

# drop anything else
-A INPUT -j DROP

# I am not a client;  I am a server.
-A OUTBOUND -m state --state ESTABLISHED, RELATED -j ACCEPT

# some services the server is allowed to talk to:
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1521 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 6663 -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 141.211.14.41 --dport 6662 -j ACCEPT

-A OUTBOUND -j DROP