Interesting thought! Thank you Joseph!
------------------------
Keith Smith
--- On Wed, 5/11/11, Joseph Sinclair <
plug-discussion@stcaz.net> wrote:
From: Joseph Sinclair <
plug-discussion@stcaz.net>
Subject: Re: IPTables on LAMP server in data center
To: "Main PLUG discussion list" <
plug-discuss@lists.plug.phoenix.az.us>
Date: Wednesday, May 11, 2011, 10:42 PM
You could also use tcp wrappers for this, and that's a bit faster, not to mention simpler.
Note: this setup will end up locking out all communication not specifically listed in hosts.allow; so make sure hosts.allow is correct before modifying hosts.deny.
It's best to enable something like telnet temporarily while working on the SSH controls, just in case you lock yourself out.
In hosts.allow:
sshd:ip.ad.dr.ess/NN (local net, ip address + netmask in CIDR notation)
sshd:ip.ad.dr.ess (specific internet host, repeat as needed)
httpd: ALL
In hosts.deny:
ALL: ALL
On 05/11/2011 07:52 PM, Richard Wilson wrote:
> Keith,
>
> What you have is fine and will work, but here's something that will make it faster and more maintainable:
>
> # Create an SSH Access Table
> iptables -N SSHACS
>
> Right before your "#Data center Local network" line, put:
>
> # Handle SSH Traffic
> iptables -A INPUT -p tcp --dport 22 -j SSHACS
>
> Then for each IP you want to grant SSH Access to:
> iptables -A SSHACS -s ip.ad.re.ss/mask -j ACCEPT
>
> This is faster because it won't got through each rule for non-SSH traffic. Splitting similar rules like this can be a big help in complex rule sets.
>
> HTH,
>
> Richard Wilson
> ---------------------------------------------------------------
> On 05/11/2011 07:24 PM, keith smith wrote:
>>
>> Hi,
>>
>> I'm rather new to IPTables. I've written a shell script to update and save the IPTables on a web server that only has HTTPD, SSL, Secured FTP, and SSH available.
>>
>> I need to be able to access the server via SSH and SFTP and want to only allow the data center's local net and only those, by IP, that I allow to access the box over the Internet. Port 80 and 443 should be open to everyone.
>>
>> I'm hoping someone or a couple of people can look at what I have written and give me some feedback. I've already locked myself out of one server so I would like to avoid that again.
>>
>> Thanks in advance for your help!
>>
>> - - - - - - -
>>
>> #!/bin/bash
>> #
>> # iptables configuration for xxxxxxxxxxx
>> #------
>> # Flush all current rules from iptables
>> iptables -F
>>
>> # Drop all forwarded packets
>> iptables -P FORWARD DROP
>>
>> # Set access for localhost
>> iptables -A INPUT -i lo -j ACCEPT
>>
>> # Port 80 for everyone
>> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
>>
>> # Port 443 for everyone
>> iptables -A INPUT -p tcp --dport 443 -j ACCEPT
>>
>> # No SMTP/POP/MySql/Named ... ETC
>>
>> # Accept packets belonging to established and related connections
>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>> #---------------------------------------------------------------------------------------------
>> # Allow SSH/FTP connections on tcp port 22 for only those we want to FTP or SSH into the box
>> #---------------------------------------------------------------------------------------------
>>
>> #Data center Local network
>> iptables -A INPUT -p tcp -s 192.168.100.0/28 --dport 22 -j ACCEPT
>>
>> #User 1
>> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT
>>
>> #user 2
>> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT
>>
>> #user 3
>> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT
>>
>> #---------------------------------------------------------------------------------
>> # - - - - Add additional consultants here and run script again - - - - -
>> #---------------------------------------------------------------------------------
>>
>> # Data Center Staff from outside
>> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT
>>
>> #-----------------------------------------------------------------------------
>> # - - - - Add additional Data Center staff here and run script again - - - - -
>> #-----------------------------------------------------------------------------
>>
>>
>> # Allow all outbound traffic
>> iptables -P OUTPUT ACCEPT
>>
>> # Drop everything else
>> iptables -P INPUT DROP
>>
>>
>> # Save settings
>> /sbin/service iptables save
>>
>> # List rules
>> iptables -L -v
>>
>>
>> ------------------------
>> Keith Smith
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
-----Inline Attachment Follows-----
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss