IPTables on LAMP server in data center

keith smith Wed, 11 May 2011 19:24:41 -0700

Hi,

I'm rather new to IPTables.  I've written a shell script to update and save the 
IPTables on a web server that only has HTTPD, SSL, Secured FTP, and SSH 
available.


I need to be able to access the server via SSH and SFTP and want to only allow 
the data center's local net and only those, by IP, that I allow to access the 
box over the Internet.  Port 80 and 443 should be open to everyone.

I'm hoping someone or a couple of people can look at what I have written and 
give me some feedback.  I've already locked myself out of one server so I would 
like to avoid that again.

Thanks in advance for your help!

- - - - - - - 

#!/bin/bash
#
# iptables configuration for xxxxxxxxxxx
#------
# Flush all current rules from iptables
 iptables -F

# Drop all forwarded packets
iptables -P FORWARD DROP

# Set access for localhost
iptables -A INPUT -i lo -j ACCEPT

# Port 80 for everyone
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Port 443 for everyone
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# No SMTP/POP/MySql/Named ... ETC

# Accept packets belonging to established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#---------------------------------------------------------------------------------------------
# Allow SSH/FTP connections on tcp port 22 for only those we want to FTP or SSH 
into the box
#---------------------------------------------------------------------------------------------

#Data center Local network
iptables -A INPUT -p tcp -s 192.168.100.0/28 --dport 22 -j ACCEPT

#User 1
iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT

#user 2
iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT

#user 3
iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT

#---------------------------------------------------------------------------------
# - - - - Add additional consultants here and run script again -  - - - - 
#---------------------------------------------------------------------------------

# Data Center Staff from outside
iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT

#-----------------------------------------------------------------------------
# - - - - Add additional Data Center staff here and run script again -  - - - - 
#-----------------------------------------------------------------------------


# Allow all outbound traffic
iptables -P OUTPUT ACCEPT

# Drop everything else
iptables -P INPUT DROP


# Save settings
/sbin/service iptables save

# List rules
iptables -L -v


------------------------

Keith Smith

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

IPTables on LAMP server in data center

Reply via email to