[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPTABLES script revisited



On Sat, Dec 03, 2005 at 07:40:53PM -0500, kevin mcgowan wrote:
> anyone here able to help me with an iptables script I'm trying to  
> write for the web hosting servers?  the basic idea is:
> 
> 	1.  block all inbounc traffic that isn't a web server, ssh, or  
> otherwise required
> 	2.  block ALL outbound traffic I don't already expect (mysql,  
> oracle, radmind, cosign)
> 
> the one thing I haven't figured out yet is which of the UDP ports I  
> have to open for AFS (I know I need 7001, don't know about 7000 or  
> 7002 - 7010).

bifrost[pts/2]:root~# grep afs /etc/services
afs3-fileserver 7000/tcp                        # file server itself
afs3-fileserver 7000/udp                        # file server itself
afs3-callback   7001/tcp                        # callbacks to cache managers
afs3-callback   7001/udp                        # callbacks to cache managers
afs3-prserver   7002/tcp                        # users & groups database
afs3-prserver   7002/udp                        # users & groups database
afs3-vlserver   7003/tcp                        # volume location database
afs3-vlserver   7003/udp                        # volume location database
afs3-kaserver 7004/tcp # AFS/Kerberos authentication service
afs3-kaserver 7004/udp # AFS/Kerberos authentication service
afs3-volser     7005/tcp                        # volume managment server
afs3-volser     7005/udp                        # volume managment server
afs3-errors 7006/tcp # error interpretation service
afs3-errors 7006/udp # error interpretation service
afs3-bos        7007/tcp                        # basic overseer process
afs3-bos        7007/udp                        # basic overseer process
afs3-update     7008/tcp                        # server-to-server updater
afs3-update     7008/udp                        # server-to-server updater
afs3-rmtsys 7009/tcp # remote cache manager service
afs3-rmtsys 7009/udp # remote cache manager service


and

bifrost[pts/2]:root~# tcpdump -nieth0 'udp and not port 53 and not port hsrp and not port netbios-dgm and not port netbios-ns'

showed afs3-{callback,fileserver,vlserver} at least...

Only thing that immediately suggests itself below is I think you need to allow
connections to udp port 53 outbound for DNS...

Adi

> I also haven't done anything to log, block known bad packets, prevent  
> spoofing, etc.
> 
> so far I have:
> 
> # Clear all Tables
> -F
> -X
> -Z
> 
> # don't do anything I haven't told you to do
> -P INPUT DROP
> -P OUTPUT DROP
> -P FORWARD DROP
> 
> # Loopback setup
> iptables -A OUTPUT -o lo -j ACCEPT
> iptables -A INPUT -i lo -j ACCEPT
> 
> # Inbound connections
> -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
> -A INPUT -p tcp -dport 80 -state --state NEW -j ACCEPT
> -A INPUT -p tcp -dport 443 -state --state NEW -j ACCEPT
> 
> # allow admin hosts to ssh
> -A INPUT -p tcp -s 141.211.14.5 -dport 22 -m state --state NEW -j ACCEPT
> 
> # drop anything else
> -A INPUT -j DROP
> 
> # I am not a client;  I am a server.
> -A OUTBOUND -m state --state ESTABLISHED, RELATED -j ACCEPT
> 
> # some services the server is allowed to talk to:
> -A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 1521 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 6663 -j ACCEPT
> -A OUTPUT -p tcp -m tcp -s 141.211.14.41 --dport 6662 -j ACCEPT
> 
> -A OUTBOUND -j DROP
>