On Wed, 2012-02-15 at 19:25 +0100, Arturo Borrero Gonzalez wrote: > 2012/2/15 Raven <ra...@vp44.net>: > > Hi guys. > > I need some help in designing a simple iptables ruleset for a small > > server I have recently set up. > > > > It's a VPS so the primary interface is venet0 with a public ip. The > > server also runs an openvpn daemon with a 172.16.0.0/24 subnet. > > > > There is obviously no need for NAT or packet forwarding. All outbound > > traffic should be allowed while inbound data is to be accepted only on > > ports 80, 443, 25, 587 and 1194 (tcp,udp). > > > > Could you give me a rough idea of what a firewall script should look > > like? > > > > Thanks > > > > -RV > > > I think if you give me more details about the environment of the > server, I could help you being more explicit. > > For example: > > · Ipv6 use, or support? > · Complex firewall as a service management? > · How many clients are going to use the server? > · What about the scalability factor? Do you plan to expand the server > in a future? > · Is the server in your house or it's a testing server, so > availability and security could be forgiven in favor of a quick > setting? >
1) IPv6 will be implemented in the next future. For now I'm focusing on v4. 2) Didn't really understand that question :) 3) A fair number. Busy MTA and and 70-80 clients on httpd. 4) I do, but in that case I will add a rule manually for whatever protocol I need to. 5) As of now the server is just a secondary MX and a failover httpd server. If all works out I plan to use it as primary. I probably should have mentioned this earlier, but my predecessor left me with a firewall script that, when launched, locks me out of the server. It seems all kosher to me, so I wonder why it's behaving like that: #!/bin/sh IPT="/sbin/iptables" # Internet Interface INET_IFACE="venet0" INET_ADDRESS="xxx.xxx.xxx.xxx" # OpenVPN OV="172.16.0.0/16" # Localhost Interface LO_IFACE="lo" LO_IP="127.0.0.1" echo "Flushing Tables ..." # Reset Default Policies $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT $IPT -t mangle -P PREROUTING ACCEPT $IPT -t mangle -P OUTPUT ACCEPT # Flush all rules $IPT -F $IPT -t nat -F $IPT -t mangle -F # Erase all non-default chains $IPT -X $IPT -t nat -X $IPT -t mangle -X #Set Policies $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP # unlimited access to VPN iptables -A INPUT -s $OV -j ACCEPT iptables -A OUTPUT -s $OV -j ACCEPT # Munin accounting stuff /sbin/iptables -A INPUT -d $INET_ADDRESS /sbin/iptables -A OUTPUT -s $INET_ADDRESS /sbin/iptables -A INPUT -d 172.16.0.1 /sbin/iptables -A OUTPUT -s 172.16.0.1 #Filter INVALID packets $IPT -N bad_packets #Filter bad tcp packets $IPT -N bad_tcp_packets #Chains for icmp, tcp (incoming and outgoing) $IPT -N icmp_packets $IPT -N udp_inbound #Inbound services $IPT -N tcp_inbound #Outbound services $IPT -N tcp_outbound # Drop INVALID packets immediately $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP # Then check the tcp packets for additional problems $IPT -A bad_packets -p tcp -j bad_tcp_packets # All good, so return $IPT -A bad_packets -p ALL -j RETURN $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \ -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #All good, so return $IPT -A bad_tcp_packets -p tcp -j RETURN # icmp_packets chain $IPT -A icmp_packets --fragment -p ICMP -j DROP $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT #Time Exceeded $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # udp_inbound chain $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP #NTP Server $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 123 -j ACCEPT # udp_outbound chain # #ACCEPT $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT # tcp_inbound chain # HTTP $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT # FTP Server (Control) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT # FTP Client (Data Port for non-PASV transfers) $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT # Passive FTP $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 62000:63000 \ -j ACCEPT # Email Server (SMTP) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT # Email Server (SMTP SUBMISSION) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 587 -j ACCEPT # Email Server (POP3) # $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT # Email Server (IMAP4) # $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT # SSL Email Server (POP3s) # $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 995 -j ACCEPT # SSL Email Server (IMAP4s) # $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 993 -j ACCEPT # sshd $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT # Munin $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 4949 -j ACCEPT # Rsync # $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 873 -j ACCEPT # openvpn $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 1194 -j ACCEPT $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 1194 -j ACCEPT # No match, so ACCEPT $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT echo "Process INPUT chain ..." # Allow all on localhost interface $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT # Drop bad packets $IPT -A INPUT -p ALL -j bad_packets # Accept Established Connections $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \ -j ACCEPT # Route the rest to the appropriate user chain $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets echo "Process OUTPUT chain ..." $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP # Localhost $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT # To internet $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT -RV -- To UNSUBSCRIBE, email to debian-firewall-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1329392208.7003.24.ca...@osmosis.gnet.eu
