IPTables on LAMP server in data center

keith smith klsmith2020 at yahoo.com
Thu May 12 11:30:40 MST 2011


Thanks Richard!


------------------------

Keith Smith

--- On Wed, 5/11/11, Richard Wilson <relw at mchsi.com> wrote:

From: Richard Wilson <relw at mchsi.com>
Subject: Re: IPTables on LAMP server in data center
To: "Main PLUG discussion list" <plug-discuss at lists.plug.phoenix.az.us>
Date: Wednesday, May 11, 2011, 7:52 PM



  

    
    
  
  
    Keith,

    

    What you have is fine and will work, but here's something that will
    make it faster and more maintainable:

    

    # Create an SSH Access Table

    iptables -N SSHACS        

    

    Right before your "#Data center Local network" line, put:

    

    # Handle SSH Traffic

    iptables -A INPUT -p tcp --dport 22 -j SSHACS

    

    Then for each IP you want to grant SSH Access to:

    iptables -A SSHACS -s ip.ad.re.ss/mask -j ACCEPT

    

    This is faster because it won't got through each rule for non-SSH
    traffic.  Splitting similar rules like this can be a big help in
    complex rule sets.  

    

    HTH,

    

    Richard Wilson

    ---------------------------------------------------------------

    On 05/11/2011 07:24 PM, keith smith wrote:
    
      
        
          
            

              Hi,

              

              I'm rather new to IPTables.  I've written a shell script
              to update and save the IPTables on a web server that only
              has HTTPD, SSL, Secured FTP, and SSH available.

              

              I need to be able to access the server via SSH and SFTP
              and want to only allow the data center's local net and
              only those, by IP, that I allow to access the box over the
              Internet.  Port 80 and 443 should be open to everyone.

              

              I'm hoping someone or a couple of people can look at what
              I have written and give me some feedback.  I've already
              locked myself out of one server so I would like to avoid
              that again.

              

              Thanks in advance for your help!

              

              - - - - - - - 

              

              #!/bin/bash

              #

              # iptables configuration for xxxxxxxxxxx

              #------

              # Flush all current rules from iptables

               iptables -F

              

              # Drop all forwarded packets

              iptables -P FORWARD DROP

              

              # Set access for localhost

              iptables -A INPUT -i lo -j ACCEPT

              

              # Port 80 for everyone

              iptables -A INPUT -p tcp --dport 80 -j ACCEPT

              

              # Port 443 for everyone

              iptables -A INPUT -p tcp --dport 443 -j ACCEPT

              

              # No SMTP/POP/MySql/Named ... ETC

              

              # Accept packets belonging to established and related
              connections

              iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
              ACCEPT

              

#---------------------------------------------------------------------------------------------

              # Allow SSH/FTP connections on tcp port 22 for only those
              we want to FTP or SSH into the box

#---------------------------------------------------------------------------------------------

              

              #Data center Local network

              iptables -A INPUT -p tcp -s 192.168.100.0/28 --dport 22 -j
              ACCEPT

              

              #User 1

              iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j
              ACCEPT

              

              #user 2

              iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j
              ACCEPT

              

              #user 3

              iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j
              ACCEPT

              

#---------------------------------------------------------------------------------

              # - - - - Add additional consultants here and run script
              again -  - - - - 

#---------------------------------------------------------------------------------

              

              # Data Center Staff from outside

              iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j
              ACCEPT

              

#-----------------------------------------------------------------------------

              # - - - - Add additional Data Center staff here and run
              script again -  - - - - 

#-----------------------------------------------------------------------------

              

              

              # Allow all outbound traffic

              iptables -P OUTPUT ACCEPT

              

              # Drop everything else

              iptables -P INPUT DROP

              

              

              # Save settings

              /sbin/service iptables save

              

              # List rules

              iptables -L -v

              

              

              ------------------------

              Keith Smith
          
        
      
      
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
    
    

  


-----Inline Attachment Follows-----

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110512/45b91e5c/attachment.html>


More information about the PLUG-discuss mailing list