Re: IPTables on LAMP server in data center

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: keith smith
Date:  
To: Main PLUG discussion list
Subject: Re: IPTables on LAMP server in data center

Thanks Richard!


------------------------

Keith Smith

--- On Wed, 5/11/11, Richard Wilson <> wrote:

From: Richard Wilson <>
Subject: Re: IPTables on LAMP server in data center
To: "Main PLUG discussion list" <>
Date: Wednesday, May 11, 2011, 7:52 PM









    Keith,




    What you have is fine and will work, but here's something that will
    make it faster and more maintainable:




    # Create an SSH Access Table


    iptables -N SSHACS        




    Right before your "#Data center Local network" line, put:




    # Handle SSH Traffic


    iptables -A INPUT -p tcp --dport 22 -j SSHACS




    Then for each IP you want to grant SSH Access to:


    iptables -A SSHACS -s ip.ad.re.ss/mask -j ACCEPT




    This is faster because it won't got through each rule for non-SSH
    traffic.  Splitting similar rules like this can be a big help in
    complex rule sets.  




    HTH,




    Richard Wilson


    ---------------------------------------------------------------


    On 05/11/2011 07:24 PM, keith smith wrote:







              Hi,




              I'm rather new to IPTables.  I've written a shell script
              to update and save the IPTables on a web server that only
              has HTTPD, SSL, Secured FTP, and SSH available.




              I need to be able to access the server via SSH and SFTP
              and want to only allow the data center's local net and
              only those, by IP, that I allow to access the box over the
              Internet.  Port 80 and 443 should be open to everyone.




              I'm hoping someone or a couple of people can look at what
              I have written and give me some feedback.  I've already
              locked myself out of one server so I would like to avoid
              that again.




              Thanks in advance for your help!




              - - - - - - - 




              #!/bin/bash


              #


              # iptables configuration for xxxxxxxxxxx


              #------


              # Flush all current rules from iptables


               iptables -F




              # Drop all forwarded packets


              iptables -P FORWARD DROP




              # Set access for localhost


              iptables -A INPUT -i lo -j ACCEPT




              # Port 80 for everyone


              iptables -A INPUT -p tcp --dport 80 -j ACCEPT




              # Port 443 for everyone


              iptables -A INPUT -p tcp --dport 443 -j ACCEPT




              # No SMTP/POP/MySql/Named ... ETC




              # Accept packets belonging to established and related
              connections


              iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
              ACCEPT




#---------------------------------------------------------------------------------------------

              # Allow SSH/FTP connections on tcp port 22 for only those
              we want to FTP or SSH into the box


#---------------------------------------------------------------------------------------------



              #Data center Local network


              iptables -A INPUT -p tcp -s 192.168.100.0/28 --dport 22 -j
              ACCEPT




              #User 1


              iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j
              ACCEPT




              #user 2


              iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j
              ACCEPT




              #user 3


              iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j
              ACCEPT




#---------------------------------------------------------------------------------

              # - - - - Add additional consultants here and run script
              again -  - - - - 


#---------------------------------------------------------------------------------



              # Data Center Staff from outside


              iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j
              ACCEPT




#-----------------------------------------------------------------------------

              # - - - - Add additional Data Center staff here and run
              script again -  - - - - 


#-----------------------------------------------------------------------------





              # Allow all outbound traffic


              iptables -P OUTPUT ACCEPT




              # Drop everything else


              iptables -P INPUT DROP






              # Save settings


              /sbin/service iptables save




              # List rules


              iptables -L -v






              ------------------------


              Keith Smith





---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss






-----Inline Attachment Follows-----

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss