2012/2/15 Raven <[email protected]>: > Hi guys. > I need some help in designing a simple iptables ruleset for a small > server I have recently set up. > > It's a VPS so the primary interface is venet0 with a public ip. The > server also runs an openvpn daemon with a 172.16.0.0/24 subnet. > > There is obviously no need for NAT or packet forwarding. All outbound > traffic should be allowed while inbound data is to be accepted only on > ports 80, 443, 25, 587 and 1194 (tcp,udp). > > Could you give me a rough idea of what a firewall script should look > like? > > Thanks > > -RV > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact [email protected] > Archive: http://lists.debian.org/[email protected] >
Hi there, Depending on what kind of complexity you want, you could use a few iptables lines added at some place like /etc/rc... or somewhere.. like: (this one is valid) ## flush old rules iptables -F # rules iptables -t filter -A INPUT -i venet0 -d your_public_ip \ -p tcp --sport 1024: -m multiport --dports 80,443,25,587 \ -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t filter -A INPUT -i venet0 -d your_ip \ -p udp --sport 1024: --dport 1194 \ -m state --state NEW,ESTABLISHED -j ACCEPT # default policy iptables -P OUTPUT ACCEPT iptables -P INPUT DROP ## Or use the same schema, but using a rule for each connection, like: iptables -t filter -A INPUT -i venet0 -d ip \ -p tcp --sport 1024: --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t filter -A INPUT -i venet0 -d ip \ -p tcp --sport 1024: --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT etc.. (using that you will see some usage statistics) Or you could use a more complex schema, using in detail the 'state' module or even managing per-package-per-protocol flags I think if you give me more details about the environment of the server, I could help you being more explicit. For example: · Ipv6 use, or support? · Complex firewall as a service management? · How many clients are going to use the server? · What about the scalability factor? Do you plan to expand the server in a future? · Is the server in your house or it's a testing server, so availability and security could be forgiven in favor of a quick setting? regards. -- /* Arturo Borrero Gonzalez || [email protected] */ /* Use debian gnu/linux! Best OS ever! */ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/CAPfcJasFyE-rsfOgbfYCtSfC-K=wszvorsp-a1a_16cgndu...@mail.gmail.com
