Thanks Richard!
------------------------
Keith Smith
--- On Wed, 5/11/11, Richard Wilson <
relw@mchsi.com> wrote:
From: Richard Wilson <
relw@mchsi.com>
Subject: Re: IPTables on LAMP server in data center
To: "Main PLUG discussion list" <
plug-discuss@lists.plug.phoenix.az.us>
Date: Wednesday, May 11, 2011, 7:52 PM
Keith,
What you have is fine and will work, but here's something that will
make it faster and more maintainable:
# Create an SSH Access Table
iptables -N SSHACS
Right before your "#Data center Local network" line, put:
# Handle SSH Traffic
iptables -A INPUT -p tcp --dport 22 -j SSHACS
Then for each IP you want to grant SSH Access to:
iptables -A SSHACS -s ip.ad.re.ss/mask -j ACCEPT
This is faster because it won't got through each rule for non-SSH
traffic. Splitting similar rules like this can be a big help in
complex rule sets.
HTH,
Richard Wilson
---------------------------------------------------------------
On 05/11/2011 07:24 PM, keith smith wrote:
Hi,
I'm rather new to IPTables. I've written a shell script
to update and save the IPTables on a web server that only
has HTTPD, SSL, Secured FTP, and SSH available.
I need to be able to access the server via SSH and SFTP
and want to only allow the data center's local net and
only those, by IP, that I allow to access the box over the
Internet. Port 80 and 443 should be open to everyone.
I'm hoping someone or a couple of people can look at what
I have written and give me some feedback. I've already
locked myself out of one server so I would like to avoid
that again.
Thanks in advance for your help!
- - - - - - -
#!/bin/bash
#
# iptables configuration for xxxxxxxxxxx
#------
# Flush all current rules from iptables
iptables -F
# Drop all forwarded packets
iptables -P FORWARD DROP
# Set access for localhost
iptables -A INPUT -i lo -j ACCEPT
# Port 80 for everyone
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Port 443 for everyone
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# No SMTP/POP/MySql/Named ... ETC
# Accept packets belonging to established and related
connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
#---------------------------------------------------------------------------------------------
# Allow SSH/FTP connections on tcp port 22 for only those
we want to FTP or SSH into the box
#---------------------------------------------------------------------------------------------
#Data center Local network
iptables -A INPUT -p tcp -s 192.168.100.0/28 --dport 22 -j
ACCEPT
#User 1
iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j
ACCEPT
#user 2
iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j
ACCEPT
#user 3
iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j
ACCEPT
#---------------------------------------------------------------------------------
# - - - - Add additional consultants here and run script
again - - - - -
#---------------------------------------------------------------------------------
# Data Center Staff from outside
iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j
ACCEPT
#-----------------------------------------------------------------------------
# - - - - Add additional Data Center staff here and run
script again - - - - -
#-----------------------------------------------------------------------------
# Allow all outbound traffic
iptables -P OUTPUT ACCEPT
# Drop everything else
iptables -P INPUT DROP
# Save settings
/sbin/service iptables save
# List rules
iptables -L -v
------------------------
Keith Smith
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
-----Inline Attachment Follows-----
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss