IPTables on LAMP server in data center
Richard Wilson
relw at mchsi.com
Wed May 11 19:52:28 MST 2011
Keith,
What you have is fine and will work, but here's something that will make
it faster and more maintainable:
# Create an SSH Access Table
iptables -N SSHACS
Right before your "#Data center Local network" line, put:
# Handle SSH Traffic
iptables -A INPUT -p tcp --dport 22 -j SSHACS
Then for each IP you want to grant SSH Access to:
iptables -A SSHACS -s ip.ad.re.ss/mask -j ACCEPT
This is faster because it won't got through each rule for non-SSH
traffic. Splitting similar rules like this can be a big help in complex
rule sets.
HTH,
Richard Wilson
---------------------------------------------------------------
On 05/11/2011 07:24 PM, keith smith wrote:
>
> Hi,
>
> I'm rather new to IPTables. I've written a shell script to update and
> save the IPTables on a web server that only has HTTPD, SSL, Secured
> FTP, and SSH available.
>
> I need to be able to access the server via SSH and SFTP and want to
> only allow the data center's local net and only those, by IP, that I
> allow to access the box over the Internet. Port 80 and 443 should be
> open to everyone.
>
> I'm hoping someone or a couple of people can look at what I have
> written and give me some feedback. I've already locked myself out of
> one server so I would like to avoid that again.
>
> Thanks in advance for your help!
>
> - - - - - - -
>
> #!/bin/bash
> #
> # iptables configuration for xxxxxxxxxxx
> #------
> # Flush all current rules from iptables
> iptables -F
>
> # Drop all forwarded packets
> iptables -P FORWARD DROP
>
> # Set access for localhost
> iptables -A INPUT -i lo -j ACCEPT
>
> # Port 80 for everyone
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
>
> # Port 443 for everyone
> iptables -A INPUT -p tcp --dport 443 -j ACCEPT
>
> # No SMTP/POP/MySql/Named ... ETC
>
> # Accept packets belonging to established and related connections
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> #---------------------------------------------------------------------------------------------
> # Allow SSH/FTP connections on tcp port 22 for only those we want to
> FTP or SSH into the box
> #---------------------------------------------------------------------------------------------
>
> #Data center Local network
> iptables -A INPUT -p tcp -s 192.168.100.0/28 --dport 22 -j ACCEPT
>
> #User 1
> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT
>
> #user 2
> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT
>
> #user 3
> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT
>
> #---------------------------------------------------------------------------------
> # - - - - Add additional consultants here and run script again - - - - -
> #---------------------------------------------------------------------------------
>
> # Data Center Staff from outside
> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT
>
> #-----------------------------------------------------------------------------
> # - - - - Add additional Data Center staff here and run script again
> - - - - -
> #-----------------------------------------------------------------------------
>
>
> # Allow all outbound traffic
> iptables -P OUTPUT ACCEPT
>
> # Drop everything else
> iptables -P INPUT DROP
>
>
> # Save settings
> /sbin/service iptables save
>
> # List rules
> iptables -L -v
>
>
> ------------------------
> Keith Smith
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110511/15c6276c/attachment.html>
More information about the PLUG-discuss
mailing list