IPTABLES for my webserver
DComTalk.com Forum Index DComTalk.com
Discussion of VoIP, VPN, Video Conferencen, DSL and other data commucations.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web dcomtalk.com
IPTABLES for my webserver

 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Firewalls
Author Message
Guest
Posted: Sun Nov 20, 2005 12:28 am    Post subject: IPTABLES for my webserver Reply with quote
Hi everyone,
I'm kind of new to iptables but I read a lot on the matter.I would like
to know if my iptables rules are right. I will show you and explain how
my network is organised.

NETWORK

Modem (ADSL) Dlink Router Web apache server
____ ____ _______
|____|--------------------------|____|-----------------| |
____ | \ ____ |______|

|____| |___|
comp1 comp2



Dlink router ip address :192.168.0.1
Comp1 ip address :192.168.0.15
Comp2 ip address :192.168.0.16
Web server ip address (debian) :192.168.0.130

CASE:

-My router forward all requests made on the 80 and 443 ports to the web
server (192.168.0.130).I would like to accept on the web server only
those 2 kind of request coming from the router (even if the router only
send those one).

- Only the 2 computers can connect to the web server via SSH (22).

-Another thing that would be nice is to use the mangle table to put a
priority on all request coming from 80 and 443 ports . But I think this
kind of rules should be made on the router ...

SCRIPT
######################################################################
iptables -t filter -F
iptables -t filter -X
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

iptables -t nat -F
iptables -t nat -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT

echo 0 > /proc/sys/net/ipv4/ip_forward

####### LOCALHOST #######

iptables -t filter -A OUTPUT -o lo -p all -j ACCEPT
iptables -t filter -A INPUT -i lo -p all -j ACCEPT


####### LAN #######
# Network
iptables -t filter -A OUTPUT -o eth0 -s 192.168.0.130 -d 192.168.0.15
-p all --sport 22 -j ACCEPT
iptables -t filter -A INPUT -i eth0 -s 192.168.0.15 -d 192.168.0.130
-p all --sport 22 -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -s 192.168.0.130 -d 192.168.0.16
-p all --sport 22 -j ACCEPT
iptables -t filter -A INPUT -i eth0 -s 192.168.0.16 -d 192.168.0.130
-p all --sport 22 -j ACCEPT

# broadcast (maybe it's not a good idea)
#iptables -t filter -A OUTPUT -o eth0 -s 192.168.0.130 -d 192.168.0.255
-p all -j ACCEPT
#iptables -t filter -A INPUT -i eth0 -s 192.168.0.255 -d 192.168.0.130
-p all -j ACCEPT


####### INTERNET #######
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

iptables -t filter -A OUTPUT -o eth0 -s 192.168.0.30 -d 192.168.0.1 -p
all --sport 80, 443 -m state --state ! INVALID -j ACCEPT

iptables -t filter -A INPUT -i eth0 -s 192.168.0.30 -d 192.168.0.1 -p
all --sport 80, 443 -m state --state RELATED,ESTABLISHED -j ACCEPT

######################################################################

but when I use this script, my website is down. I'm new to this so
maybe I made some huge mistake hehe

any help would be appreciated ty
Back to top
Duane Arnold
Guest
Posted: Sun Nov 20, 2005 12:53 am    Post subject: Re: IPTABLES for my webserver Reply with quote
Most home users putting up a WEB server don't even consider it have you?

http://httpd.apache.org/docs/1.3/misc/security_tips.html#ssi
http://www.linux.com/article.pl?sid=04/04/15/1923224

I have Linux but I don't use a WEB server. I have MS and IIS on the network
to and if I were going to expose a machine with a WEB server to the public
Internet, there is more to it than config some packet filter behind some
NAT router.

Duane :)
Back to top
Robert
Guest
Posted: Sun Nov 20, 2005 1:46 am    Post subject: Re: IPTABLES for my webserver Reply with quote
On Sat, 19 Nov 2005 10:28:03 -0800, joe10001 wrote:

Quote:
Hi everyone,
I'm kind of new to iptables but I read a lot on the matter.

Well that is a good start. Since you are running a web server that is
accessed from the outside I hope you have secured it too. The following
setup should get you up and running, but you are going to have to figure
out what you need open and how to open it.


# Load needed modules
#####################
# Only uncomment if you need FTP from this server
#modprobe ip_conntrack_ftp

# Clear all Tables
##################
iptables -F
iptables -X
iptables -Z

#Set Default Policy
###################
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP


# Loopback setup
################
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

# Inbound connections
#####################
iptables -A INPUT -m state --state ESTABLICHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -dport 80 -state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -dport 443 -state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.15/32 -dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.16/32 -dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -j DROP

#Outbound connection
####################
iptables -A OUTBOUND -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTBOUND -j DROP


Quote:
-Another thing that would be nice is to use the mangle table to put a
priority on all request coming from 80 and 443 ports . But I think this
kind of rules should be made on the router ...

Well since you only allow port 22 from the 2 local Pc's do you really
think you need this? I think not.


Quote:
but when I use this script, my website is down. I'm new to this so
maybe I made some huge mistake hehe

any help would be appreciated ty

Well the above should get you started.


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
Back to top
Guest
Posted: Mon Nov 21, 2005 3:39 pm    Post subject: Re: IPTABLES for my webserver Reply with quote
Ty very much for helping me and for advices to secure my webserver.
Robert, I corrected the few syntax mistakes of your script and I tried
it. I passed a lot of time to make it works but it still not. At first,
when I run this script, I can't access my web server anymore via putty
(SSH). Also, each time this rules arre applied my web site become down.

I will still working on it today, any help would be greatly appreciated

ty again all
Back to top
Robert
Guest
Posted: Tue Nov 22, 2005 9:22 am    Post subject: Re: IPTABLES for my webserver Reply with quote
On Mon, 21 Nov 2005 01:39:27 -0800, joe10001 wrote:

Quote:
Ty very much for helping me and for advices to secure my webserver.

You are welcome.

Quote:
Robert, I corrected the few syntax mistakes of your script and I tried

Sorry about that. Should learn to do one thing at a time.

Quote:
it. I passed a lot of time to make it works but it still not. At first,
when I run this script, I can't access my web server anymore via putty
(SSH). Also, each time this rules arre applied my web site become down.

OK start the firewall and run this on the WEB server;

iptables -L -v -n > myfirwall

Then post the contents of this file for me to look at.

I don't understand why the web server is down when these rules are applied.

Are these rules being applied to the web server or another system?


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
Back to top
Guest
Posted: Wed Nov 23, 2005 5:21 pm    Post subject: Re: IPTABLES for my webserver Reply with quote
ty you robert, I really appreciated your help !! ty again

I finally got it yeah :) your scipt helped me to understand

Here is the part, hope it could help someone else
###############################################################################
# Règles de connexions
###############################################################################

echo "+ Règles de connexions"

# SSH
iptables -t filter -A INPUT -p tcp --dport 22 -s $UNIVERSE -d $IP -j
ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 22 -s $IP -d $UNIVERSE -j
ACCEPT

# HTTP
iptables -t filter -A INPUT -p tcp --dport 80 -s $UNIVERSE -d $IP -j
ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 80 -s $IP -d $UNIVERSE -j
ACCEPT

# HTTPS
iptables -t filter -A INPUT -p tcp --dport 443 -s $UNIVERSE -d $IP -j
ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 443 -s $IP -d $UNIVERSE -j
ACCEPT

# No-IP
iptables -t filter -A INPUT -p tcp --dport 8245 -s $UNIVERSE -d $IP -j
ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 8245 -s $IP -d $UNIVERSE -j
ACCEPT

# Autorise les connexions avec internet uniquement si elles sont
initialisées par
# les process locaux
iptables -t filter -A OUTPUT -s $IP -d $UNIVERSE -p all -m state
--state ! INVALID -j ACCEPT
iptables -t filter -A INPUT -s $UNIVERSE -d $IP -p all -m state
--state RELATED,ESTABLISHED -j ACCEPT
Back to top
 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Firewalls All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




VoIP Solutions: Telephone Systems Electronics Satellite TV Tech & Gadgets
Powered by phpBB