What I did first was to drop all defaults installed: iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
Then I edited to allow ports I want open: iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT I followed the same guideline for OUTPUT, so my tables look something like: iptables -L INPUT Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:https Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:https I guess the question now is this sufficient security? I'm only running 3 applications on the server exim, squirrelmail and appache (basically a web and mail server). nmapping my IP shows: (The 1542 ports scanned but not shown below are in state: closed) Port State Service 9/tcp open discard 13/tcp open daytime 22/tcp open ssh 25/tcp open smtp 37/tcp open time 80/tcp open http 111/tcp open sunrpc 113/tcp open auth 143/tcp open imap2 220/tcp open imap3 515/tcp open printer 1024/tcp open kdm Which of these should worry about (if any)? On Wed, 4 Jun 2003, Bernd Eckenfels wrote: > On Tue, Jun 03, 2003 at 10:37:38PM -0700, Richard Cochinos wrote: > > This is a very simple server - X hasn't been installed - so any GUI > > interfaces wont help me. Ideally I want only to open 4 ports 22,25,80 and > > 443. > > Well, you can use "netstat -lpetu" (as root) to see the open ports on the > system. If ssh, smtp and web are the only open ports, there is actually no > need for a firewall. > > If you want to be sure, nobody can expose additional ports of the system, > you can use a simple ipchains script with 4+1 accept rules and deny > everything else. No need for a firewall builder package or anything else to > protect a host which is no router. > > Greetings > Bernd > -- > (OO) -- [EMAIL PROTECTED] -- > ( .. ) [EMAIL PROTECTED],linux.de,debian.org} http://home.pages.de/~eckes/ > o--o *plush* 2048/93600EFD [EMAIL PROTECTED] +497257930613 BE5-RIPE > (O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl! > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -richard
