Thanks Richard! ------------------------ Keith Smith --- On Wed, 5/11/11, Richard Wilson wrote: From: Richard Wilson Subject: Re: IPTables on LAMP server in data center To: "Main PLUG discussion list" Date: Wednesday, May 11, 2011, 7:52 PM Keith, What you have is fine and will work, but here's something that will make it faster and more maintainable: # Create an SSH Access Table iptables -N SSHACS        Right before your "#Data center Local network" line, put: # Handle SSH Traffic iptables -A INPUT -p tcp --dport 22 -j SSHACS Then for each IP you want to grant SSH Access to: iptables -A SSHACS -s ip.ad.re.ss/mask -j ACCEPT This is faster because it won't got through each rule for non-SSH traffic.  Splitting similar rules like this can be a big help in complex rule sets.  HTH, Richard Wilson --------------------------------------------------------------- On 05/11/2011 07:24 PM, keith smith wrote: Hi, I'm rather new to IPTables.  I've written a shell script to update and save the IPTables on a web server that only has HTTPD, SSL, Secured FTP, and SSH available. I need to be able to access the server via SSH and SFTP and want to only allow the data center's local net and only those, by IP, that I allow to access the box over the Internet.  Port 80 and 443 should be open to everyone. I'm hoping someone or a couple of people can look at what I have written and give me some feedback.  I've already locked myself out of one server so I would like to avoid that again. Thanks in advance for your help! - - - - - - - #!/bin/bash # # iptables configuration for xxxxxxxxxxx #------ # Flush all current rules from iptables  iptables -F # Drop all forwarded packets iptables -P FORWARD DROP # Set access for localhost iptables -A INPUT -i lo -j ACCEPT # Port 80 for everyone iptables -A INPUT -p tcp --dport 80 -j ACCEPT # Port 443 for everyone iptables -A INPUT -p tcp --dport 443 -j ACCEPT # No SMTP/POP/MySql/Named ... ETC # Accept packets belonging to established and related connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #--------------------------------------------------------------------------------------------- # Allow SSH/FTP connections on tcp port 22 for only those we want to FTP or SSH into the box #--------------------------------------------------------------------------------------------- #Data center Local network iptables -A INPUT -p tcp -s 192.168.100.0/28 --dport 22 -j ACCEPT #User 1 iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT #user 2 iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT #user 3 iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT #--------------------------------------------------------------------------------- # - - - - Add additional consultants here and run script again -  - - - - #--------------------------------------------------------------------------------- # Data Center Staff from outside iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT #----------------------------------------------------------------------------- # - - - - Add additional Data Center staff here and run script again -  - - - - #----------------------------------------------------------------------------- # Allow all outbound traffic iptables -P OUTPUT ACCEPT # Drop everything else iptables -P INPUT DROP # Save settings /sbin/service iptables save # List rules iptables -L -v ------------------------ Keith Smith --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -----Inline Attachment Follows----- --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss