Linode Forum
https://forum.linode.com/

Simple iptables setup question
https://forum.linode.com/viewtopic.php?f=19&t=5632		 Page 1 of 1
Author:  Julian [ Thu May 27, 2010 1:28 pm ]
Post subject:  Simple iptables setup question
Hey,

I'm inexperienced with network security and iptables, but I'm wondering if this setup would be a secure firewall.

Use iptables to allow ports 80 and whatever port I use ssh on, and block all others.
My email goes through Google Apps, so I shouldn't need to leave that port open.

Does this sound right? Are there any ports I'm forgetting?
Thanks!
Author:  jed [ Thu May 27, 2010 3:19 pm ]
Post subject:  Re: Simple iptables setup question
Julian wrote:
I'm inexperienced with network security and iptables

I recommend that you use ufw or Shorewall or something, then. Those will let you exclude SSH on 22 and HTTP on 80, and set up iptables for you so you don't have to learn it all. There's a lot of caveats to getting iptables right -- like not forgetting localhost, making sure RELATED/ESTABLISHED comes first for performance, and so forth.

Overall, security-wise, you need to allow ICMP through as well. I've never been a fan of selectively filtering ICMP, so I allow it all. Blocking selective ICMP traffic leads to weird behavior, like path MTU discovery failing (if you're interesting in Googling). Otherwise, yes, your description sounds reasonably secure.
Author:  Mika1974 [ Mon Jun 07, 2010 2:54 am ]
Post subject: 
I use the following simple rules on CentOS/Fedora PBX server:

Code:
# iptables
iptables -F
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 5059:5061 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -L
iptables-save


I also change some kernel settings for the better:

Code:
# kernel settings
sysctl -p
nano /etc/sysctl.conf

#Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 1
# enable ignoring to icmp request
net.ipv4.icmp_echo_ignore_all = 1
# enable ignoring broardcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# enable bad error message protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
#Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1


The thing I find with iptables is that there are either really extensive scripts out there or just these simple things. I've read 3 books on the topic - none tell me which is better.
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/