Hello, Arturo Borrero Gonzalez a écrit : > 2012/2/15 Raven <[email protected]>: >> I need some help in designing a simple iptables ruleset for a small >> server I have recently set up. >> >> It's a VPS so the primary interface is venet0 with a public ip. The >> server also runs an openvpn daemon with a 172.16.0.0/24 subnet. >> >> There is obviously no need for NAT or packet forwarding. All outbound >> traffic should be allowed while inbound data is to be accepted only on >> ports 80, 443, 25, 587 and 1194 (tcp,udp). >> >> Could you give me a rough idea of what a firewall script should look >> like? > > Depending on what kind of complexity you want, you could use a few > iptables lines added at some place like /etc/rc... or somewhere.. > > like: (this one is valid) > > ## flush old rules > iptables -F > # rules > iptables -t filter -A INPUT -i venet0 -d your_public_ip \ > -p tcp --sport 1024: -m multiport --dports 80,443,25,587 \ > -m state --state NEW,ESTABLISHED -j ACCEPT > iptables -t filter -A INPUT -i venet0 -d your_ip \ > -p udp --sport 1024: --dport 1194 \ > -m state --state NEW,ESTABLISHED -j ACCEPT > # default policy > iptables -P OUTPUT ACCEPT > iptables -P INPUT DROP > ##
Some parts are missing. - Port 1194 (openvpn) should be accepted for TCP too. - Local host traffic on the loopback interface should be accepted. iptables -A INPUT -i lo -j ACCEPT - Incoming return traffic for outgoing connections (e.g. DNS replies) should be accepted. - Incoming related ICMP messages should be accepted. You want to know about network problems such as when a host is unreachable or a packet is too big, don't you ? For those two requirements, just add the usual rule : iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT And you can remove the now redundant ESTABLISHED state from other rules. Note that you can also remove the whole state match in the UDP rule as a UDP packet cannot be in the INVALID state (UDP has no real state). - Some incoming traffic (TBD) on the tunnel interface created by openvpn should probably be accepted too, otherwise the VPN won't be very useful. > · Ipv6 use, or support? Just use the same commands with ip6tables instead of iptables. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
