 |
Linode.com Forum
Linode Community Forums
|
| Author |
Message |
cattani
Joined: 01 Jan 2008
Posts: 15
|
| Posted: Sat Jun 28, 2008 1:29 pm Post subject: iptables - is this a good ruleset? |
|
|
is this a good ruleset for a server that has to block anything but http,https,smtp,imap,ssl,openvpn (i xxx“ed ssl and openvpn as i put them on non-standard ports which helped a lot against some idiots attacks)? the two subnets i blocked additionally where bugging me with continous relay trials. i am asking, because i am not sure about teh forwarding rules and those lines i posted at the end. thx!
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 123-204-0-0.dynamic.seed.net.tw/16 anywhere
DROP all -- 118-167-0-0.dynamic.hinet.net/16 anywhere
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xxxx
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xxxxxx
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Code:
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
--> dont know thy webmin is adding this, i never use webmin to configure iptables... |
|
| Back to top |
|
irgeek
Joined: 21 Jun 2003
Posts: 99
Location: Denver, CO
|
| Posted: Sat Jun 28, 2008 6:02 pm Post subject: |
|
|
I will preface this by saying that I don't bother with iptables--I just don't have services listening on ports I don't want open. However, after a quick glance at the ports you have open I'd suggest two things completely unrelated to iptables:
1) Configure your SMTP server with TLS and AUTH and have it listen on the submission port (587). There are a lot of ISPs in the world that block outbound connections on port 25. I have yet to encounter one that blocks submission, but just as a safeguard I also have Postfix listen on port 2525 in case I find one someday. This will allow users to send email from anywhere without issues.
2) I noticed you have a service listening on the imap port. I would strongly recommend enabling TLS for imap as well since, without it, everything goes across the wire in the open. This may not seem like a problem, but if your users are like mine they sometimes do email from Internet cafes and places like that. TLS will ensure that a malicious user can't intercept that data.
TLS, obviously, requires a certificate. If you have a small enough number of users you can use a self-signed certificate and distribute it to them. If you have more than a handful of users, there are several places that will supply you a certificate for very little money. I use namecheap.com for my domains and I have heard good things about their certificates.
Anyway, I don't really have anything to add to your iptables rules, but securing services is a pretty good idea.
--James |
|
| Back to top |
|
MrRx7
Joined: 21 May 2008
Posts: 26
Location: Austin, Tx
|
| Posted: Sun Jun 29, 2008 1:14 pm Post subject: |
|
|
Mine is a bit restrictive, but I only have 2 services that need external access, the below code is just the rules for dropping bad packets to protect the server
Code: Chain bad_tcp_packets (1 references)
target prot opt source destination
LOG tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix `fp=bad_tcp_packets:1 a=DROP '
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE LOG level warning prefix `fp=bad_tcp_packets:2 a=DROP '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG LOG level warning prefix `fp=bad_tcp_packets:3 a=DROP '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG LOG level warning prefix `fp=bad_tcp_packets:4 a=DROP '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG LOG level warning prefix `fp=bad_tcp_packets:5 a=DROP '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
LOG tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST LOG level warning prefix `fp=bad_tcp_packets:6 a=DROP '
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN LOG level warning prefix `fp=bad_tcp_packets:7 a=DROP '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
RETURN tcp -- anywhere anywhere
Chain fail2ban-ssh (2 references)
target prot opt source destination
RETURN 0 -- anywhere anywhere
Chain icmp_packets (1 references)
target prot opt source destination
LOG icmp -f anywhere anywhere LOG level warning prefix `fp=icmp_packets:1 a=DROP '
DROP icmp -f anywhere anywhere
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
RETURN icmp -- anywhere anywhere
Chain tcp_inbound (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:auth reject-with icmp-port-unreachable
the fail2ban-ssh chain was setup by fail2ban, which I highly recommend installing. |
|
| Back to top |
|
| |
|