Re: IPTables on LAMP server in data center

    Keith,
    What you have is fine and will work, but here's something that will
    make it faster and more maintainable:
    # Create an SSH Access Table
    iptables -N SSHACS        
    Right before your "#Data center Local network" line, put:
    # Handle SSH Traffic
    iptables -A INPUT -p tcp --dport 22 -j SSHACS
    Then for each IP you want to grant SSH Access to:
    iptables -A SSHACS -s ip.ad.re.ss/mask -j ACCEPT
    This is faster because it won't got through each rule for non-SSH
    traffic.  Splitting similar rules like this can be a big help in
    complex rule sets.  
    HTH,
    Richard Wilson
    ---------------------------------------------------------------
    On 05/11/2011 07:24 PM, keith smith wrote:
              Hi,
              I'm rather new to IPTables.  I've written a shell script
              to update and save the IPTables on a web server that only
              has HTTPD, SSL, Secured FTP, and SSH available.
              I need to be able to access the server via SSH and SFTP
              and want to only allow the data center's local net and
              only those, by IP, that I allow to access the box over the
              Internet.  Port 80 and 443 should be open to everyone.
              I'm hoping someone or a couple of people can look at what
              I have written and give me some feedback.  I've already
              locked myself out of one server so I would like to avoid
              that again.
              Thanks in advance for your help!
              - - - - - - - 
              #!/bin/bash
              #
              # iptables configuration for xxxxxxxxxxx
              #------
              # Flush all current rules from iptables
               iptables -F
              # Drop all forwarded packets
              iptables -P FORWARD DROP
              # Set access for localhost
              iptables -A INPUT -i lo -j ACCEPT
              # Port 80 for everyone
              iptables -A INPUT -p tcp --dport 80 -j ACCEPT
              # Port 443 for everyone
              iptables -A INPUT -p tcp --dport 443 -j ACCEPT
              # No SMTP/POP/MySql/Named ... ETC
              # Accept packets belonging to established and related
              connections
              iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
              ACCEPT
              # Allow SSH/FTP connections on tcp port 22 for only those
              we want to FTP or SSH into the box
              #Data center Local network
              iptables -A INPUT -p tcp -s 192.168.100.0/28 --dport 22 -j
              ACCEPT
              #User 1
              iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j
              ACCEPT
              #user 2
              iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j
              ACCEPT
              #user 3
              iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j
              ACCEPT
              # - - - - Add additional consultants here and run script
              again -  - - - - 
              # Data Center Staff from outside
              iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j
              ACCEPT
              # - - - - Add additional Data Center staff here and run
              script again -  - - - - 
              # Allow all outbound traffic
              iptables -P OUTPUT ACCEPT
              # Drop everything else
              iptables -P INPUT DROP
              # Save settings
              /sbin/service iptables save
              # List rules
              iptables -L -v
              ------------------------
              Keith Smith

This message is part of the following thread:
	the complete thread tree sorted by date
	Joseph Sinclair at
	keith smith at