| iptables rules that need testing [message #90290] |
Mon, 24 October 2011 14:03  |
|
Please test these rules and let me know what you think. I could probably be a little more tight on the output, but let's see what you think of this first. If this is well received, we can look into including it as an option in a future release along with the ability to add custom ports. I could write it a bit more generic to allow an easy migration from an RHEL base in the future.
The following configration allows you to set iptables to only input port 21 and it takes care of everything else. Do not add ip_conntrack_netbios_ns. This may or may not be in your configuration. If it is there, leave it. If it isn't there, do not add it.
edit /etc/sysconfig/iptables-config
replace IPTABLES_MODULES="ip_conntrack_netbios_ns" with IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"
#!/bin/sh
#Restart to load ip_conntrack_ftp module
/etc/init.d/iptables restart
#Clear rules and chains
iptables -F
iptables -X
#allow all input to loopback
iptables -A INPUT -i lo -j ACCEPT
#As an example without the next line wget cannot connect and download
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Allow ping, this could be narrowed to specific icmp types
iptables -A INPUT -p icmp -j ACCEPT
#allow ftp ssh smtp dns http pop3 imap https imaps pop3s kloxohttps kloxohttp
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j ACCEPT
iptables -A INPUT -p tcp --dport 7778 -j ACCEPT
#do not allow traffic that isn't specifically allowed
iptables -P INPUT DROP
#do not forward traffic that isn't specified
iptables -P FORWARD DROP
#allow outgoing traffic.
iptables -P OUTPUT ACCEPT
#save the rules so they are not lost on a restart
/etc/init.d/iptables save
https://www.mercuryvps.com
HyperVM Xen VPS hosting
[Updated on: Tue, 14 February 2012 09:05] Report message to a moderator |
|
|
| Re: iptables rules that need testing [message #90296 is a reply to message #90290] |
Mon, 24 October 2011 16:24  |
|
No all email ports?.
IMAP is port 143
IMAP-SSL is port 993
POP is port 110
POP-SSL is port 995
SMTP and SMTP-SSL is on ports 25, 587 and 465. Port 587 has to be SSL, and port 465 is enforced TLS-wrapped and is generally used by Outlook users.
|
|
|
|
| Re: iptables rules that need testing [message #90298 is a reply to message #90297] |
Mon, 24 October 2011 16:34 |
|
Thanks I updated it with pop3s and imaps. I will have to investigate the SMTP further, as with my setup where I only allow the secure pop3s and imaps, I don't allow those ports your specified and Outlook connected fine. I think it gets handled by this rule: iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Also I don't think those ports you listed are shown with netstat -a which also makes me think they are not actively listening.
https://www.mercuryvps.com
HyperVM Xen VPS hosting
|
|
|
|
|
| Re: iptables rules that need testing [message #90329 is a reply to message #90327] |
Tue, 25 October 2011 10:15 |
|
That is not the proper way to implement iptables in an RHEL. It wouldn't be the proper way in Debian either.
The FTP is not correctly done.
It does not have the IMAPS and POP3S ports open.
I am trying to come up with a proper and secure way. For instance allowing port 20 in the example you referenced, would allow an executable to listen on port 20 since 20 is not actively being used by FTP. In the script I propose here, the proper ftp module takes care of this and only port 21 needs to be allowed in.
https://www.mercuryvps.com
HyperVM Xen VPS hosting
|
|
|
|
| Re: iptables rules that need testing [message #90343 is a reply to message #90337] |
Tue, 25 October 2011 12:55 |
|
I think this could be a fine solution on an individual basis. I am just looking to provide Kloxo with some default security. By default MySQL is wide open for attacks. Then people try many different ways to put up a firewall without knowing exactly what is going on. As you can see from lupetalo's reply, he took that wiki page as gospel without trying to put the screws to it.
https://www.mercuryvps.com
HyperVM Xen VPS hosting
|
|
|
|
|
| Re: iptables rules that need testing [message #90368 is a reply to message #90343] |
Tue, 25 October 2011 18:04 |
|
shazar wrote on Tue, 25 October 2011 12:55I think this could be a fine solution on an individual basis. I am just looking to provide Kloxo with some default security. By default MySQL is wide open for attacks. Then people try many different ways to put up a firewall without knowing exactly what is going on. As you can see from lupetalo's reply, he took that wiki page as gospel without trying to put the screws to it.
I took that as a guide not as gospel (whatever that means)...
|
|
|
|
|
|
|
|
| Re: iptables rules that need testing [message #93794 is a reply to message #93231] |
Sat, 07 January 2012 18:16 |
|
this is my readout is this right:
Quote:Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]ntrack_ftp
iptables v1.3.5: Can't use -X with -F
Try `iptables -h' or 'iptables --help' for more information.
./firewall: line 13: kloxohttp: command not found
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@s1 ~]#
|
|
|
|
| Re: iptables rules that need testing [message #93796 is a reply to message #93795] |
Sat, 07 January 2012 18:26 |
|
ok readout from slcker76's change
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]ntrack_ftp
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@s1 ~]#
p.s: ive added port 10000 for webmin, i only tend to use it for file searching etc but it is quite usefull
p.p.s: FTP works fine
[Updated on: Sat, 07 January 2012 18:42] Report message to a moderator |
|
|
|
|
|
|
|
|
|
| Re: iptables rules that need testing [message #96977 is a reply to message #96808] |
Thu, 22 March 2012 16:48 |
|
I assume i need to copy this all to the /etc/sysconfig/iptables file, just on the CentOS way?
Newbie on Lxcenter Forum!
New with Linux. (version?)
New with CentOS. (version 5.8 )
Getting Better with Kloxo. (1 dedicated master running version 6.1.12)
Still busy with HyperVM. (1 dedicated master running version 2.0.7993 OpenVZ)
Translated Kloxo Dutch (NL)
Translated HyperVM Dutch (NL)
|
|
|
|
| Re: iptables rules that need testing [message #97013 is a reply to message #96980] |
Fri, 23 March 2012 13:11 |
|
Shazar - I need to read up more about a lot of things, but i need to start somewhere. So for now iptables is on top of the list.
Where and how do i need to run that script?
Thanks
Newbie on Lxcenter Forum!
New with Linux. (version?)
New with CentOS. (version 5.8 )
Getting Better with Kloxo. (1 dedicated master running version 6.1.12)
Still busy with HyperVM. (1 dedicated master running version 2.0.7993 OpenVZ)
Translated Kloxo Dutch (NL)
Translated HyperVM Dutch (NL)
|
|
|
| Re: iptables rules that need testing [message #97014 is a reply to message #97013] |
Fri, 23 March 2012 13:28 |
|
You can run it line by line or you can save it to a file and run the file. It sets the rules and saves it so when the server starts, the rules are loaded automatiocally. You never have to run it again. If you need to allow other ports, you can use one of the lines as an example, you just always have to run the save line so it keeps when you reboot.
https://www.mercuryvps.com
HyperVM Xen VPS hosting
|
|
|
| Re: iptables rules that need testing [message #97015 is a reply to message #97014] |
Fri, 23 March 2012 13:39 |
|
Thanks for your quick reply. Now its my turn to read and learn more about this stuff. Google is my best friend...
Am i right that these rules are automatically saved in /etc/sysconfig/iptables?
Newbie on Lxcenter Forum!
New with Linux. (version?)
New with CentOS. (version 5.8 )
Getting Better with Kloxo. (1 dedicated master running version 6.1.12)
Still busy with HyperVM. (1 dedicated master running version 2.0.7993 OpenVZ)
Translated Kloxo Dutch (NL)
Translated HyperVM Dutch (NL)
|
|
|
| Re: iptables rules that need testing [message #97017 is a reply to message #97015] |
Fri, 23 March 2012 13:54 |
|
I think the save file is /etc/sysconfig/firewall. And with this script they are saved, but just adding a rule, they are not saved.
This line adds a rule:
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
This takes effect immediately.
This line:
/etc/init.d/iptables save
Is what saves it to the file.
And when the server starts /etc/init.d/iptables start is run and in there you should be able to see where it loads the rules that were previously saved.
https://www.mercuryvps.com
HyperVM Xen VPS hosting
|
|
|
| Re: iptables rules that need testing [message #97053 is a reply to message #97017] |
Sun, 25 March 2012 08:15 |
|
The script runs like a sunshine. Nothing to say about it.
The rules are saved in /etc/sysconfig/iptables
This is what the file /etc/sysconfig/iptables shows after running your script.
# Generated by iptables-save v1.3.5 on Sun Mar 25 13:46:23 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7777 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7778 -j ACCEPT
COMMIT
# Completed on Sun Mar 25 13:46:23 2012
Thanks for the support! Gerard
Newbie on Lxcenter Forum!
New with Linux. (version?)
New with CentOS. (version 5.8 )
Getting Better with Kloxo. (1 dedicated master running version 6.1.12)
Still busy with HyperVM. (1 dedicated master running version 2.0.7993 OpenVZ)
Translated Kloxo Dutch (NL)
Translated HyperVM Dutch (NL)
|
|
|
| Re: iptables rules that need testing [message #98385 is a reply to message #97053] |
Wed, 30 May 2012 17:53 |
|
Hello,
Thanks to this job.
But, i have a little problem :
When i write "iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT"
i have : "iptables: No chain/target/match by that name."
Do you have a solution ?
my iptables is upgrade in the last version.
Friendly,
Florian
|
|
|
|
| Re: iptables rules that need testing [message #98390 is a reply to message #98387] |
Thu, 31 May 2012 04:18 |
|
Hello,
Yes, i have added the module. The first start, module is ok, but after it's not ok but i think that it's normal, we can't start twice the module.
I have put all port you ask, i have just add "echo - XXX : [OK]". If you want, i put this here.
|
|
|
|
| Re: iptables rules that need testing [message #98404 is a reply to message #98399] |
Thu, 31 May 2012 13:37 |
|
Florian - regarding your private message, I want you to delete any files that you previously created regarding this. You do not need a script file at the moment. I literally want you to run what I asked in my previous post. That is it. It is 4 lines that I want you to run and I want to know the output to see if that runs cleanly. If that all runs well enough, then you just need to run the lines that I posted in the very first post of this thread. No need to create a file or anything else. Simply run the lines 1 by 1 by copying and pasting.
https://www.mercuryvps.com
HyperVM Xen VPS hosting
[Updated on: Thu, 31 May 2012 13:38] Report message to a moderator |
|
|
|
HyperVM & Kloxo Support
Members
Search
Help
Register
Login
Home
