Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » Linux Networking
  Print view Previous topic | Next topic 
Author Message
Julian
PostPosted: Thu May 27, 2010 1:28 pm 
Offline

Joined: Thu May 27, 2010 1:10 pm
Posts: 1
Hey,

I'm inexperienced with network security and iptables, but I'm wondering if this setup would be a secure firewall.

Use iptables to allow ports 80 and whatever port I use ssh on, and block all others.
My email goes through Google Apps, so I shouldn't need to leave that port open.

Does this sound right? Are there any ports I'm forgetting?
Thanks!
Top
   
Reply with quote  
jed
PostPosted: Thu May 27, 2010 3:19 pm 
Offline
Senior Member

Joined: Sat Mar 28, 2009 4:23 pm
Posts: 415
Website: http://jedsmith.org/
Location: Out of his depth and job-hopping without a clue about network security fundamentals
Julian wrote:
I'm inexperienced with network security and iptables

I recommend that you use ufw or Shorewall or something, then. Those will let you exclude SSH on 22 and HTTP on 80, and set up iptables for you so you don't have to learn it all. There's a lot of caveats to getting iptables right -- like not forgetting localhost, making sure RELATED/ESTABLISHED comes first for performance, and so forth.

Overall, security-wise, you need to allow ICMP through as well. I've never been a fan of selectively filtering ICMP, so I allow it all. Blocking selective ICMP traffic leads to weird behavior, like path MTU discovery failing (if you're interesting in Googling). Otherwise, yes, your description sounds reasonably secure.

_________________
Disclaimer: I am no longer employed by Linode; opinions are my own alone.
Top
   
Reply with quote  
Mika1974
 Post subject:
PostPosted: Mon Jun 07, 2010 2:54 am 
Offline
Senior Newbie

Joined: Fri May 21, 2010 7:38 am
Posts: 11
I use the following simple rules on CentOS/Fedora PBX server:

Code:
# iptables
iptables -F
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 5059:5061 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -L
iptables-save


I also change some kernel settings for the better:

Code:
# kernel settings
sysctl -p
nano /etc/sysctl.conf

#Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 1
# enable ignoring to icmp request
net.ipv4.icmp_echo_ignore_all = 1
# enable ignoring broardcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# enable bad error message protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
#Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1


The thing I find with iptables is that there are either really extensive scripts out there or just these simple things. I've read 3 books on the topic - none tell me which is better.
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » Linux Networking


Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group