Iptables script

General Interworx Control Panel Info General Inquries
1

Hello

Continuing to secure my box, I’d like to know if you could provide a generic iptables configuration script for RH9 with nodeworx/siteworx

I’ll add other services (out of nodeworx services) in this one (for example ircd)

Thanks :slight_smile:

Squalito

2

so ??? Paul ? Chris ?

3

well, this thread has really no success :-p

In fact all my threads about box security as no success.

snif snif

Maybe better lucky a next time

@+++
Pascal

4

squalito,

I apologize, we’ve just been busy with this release. Any basic iptables script will do that blocks all ports, and then selectively adds ports that are needed. For InterWorx-CP itself you’ll need 2443 open and if you want web/email/ssh/ftp open those ports can all be found in /etc/services.

We will at some point provide a standard baseline iptables script but have so far left it up to the server owner.

Chris

5

No pbm for the delay.
What I propose you is to provide a script here before installing it and wait for your comments :slight_smile:

Just in case of :-p

Pascal

6

Sagonet has a general IPtables script posted on their forum.

http://www.sagonet.com/forums/viewtopic.php?t=18&highlight=iptables

7

Thank you lost :slight_smile:

8

Ok here is the script I made helping me from the sago script


#!/bin/bash 
set -e 

# Caution! Once this firewall is active, 
# changes will almost certainly require a reboot, 
# or at least console (the network will be unavailable). 

# Load IRC & FTP modules for use behind a NAT. Usually not necessary. 
modprobe ip_conntrack_ftp 

# Flush rules 
iptables -F 
iptables -X 
iptables -Z 
iptables -t mangle -F 
iptables -t mangle -X 
iptables -t mangle -Z 

# rp_filter 
for f in /proc/sys/net/ipv4/conf/*; do 
echo 1 > $f/rp_filter 
echo 0 > $f/accept_source_route 
echo 0 > $f/accept_redirects 
done 
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all 
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 
echo 0 > /proc/sys/net/ipv4/tcp_ecn 
echo 0 > /proc/sys/net/ipv4/ip_forward 

# Set chain defaults 
iptables -P INPUT DROP 
iptables -P FORWARD DROP 
iptables -P OUTPUT ACCEPT 

## Okay, the rules 

# Rejects go here 
iptables -N rej 
iptables -A rej -p udp -j REJECT --reject-with icmp-port-unreachable 
iptables -A rej -p tcp -j REJECT --reject-with tcp-reset 
iptables -A rej -j DROP 

# Slow reject is our packet limiter. 
iptables -N slowrej 
iptables -A slowrej -m limit --limit 12/min --limit-burst 2 -j rej 
iptables -A slowrej -j DROP 

## UDP rules 
iptables -N pudp 
iptables -A pudp -p udp --dport 53 -j ACCEPT # DNS (udp) 
iptables -A pudp -p udp --dport 161 -j ACCEPT # SNMP (udp) 

iptables -A pudp -p udp --dport bootps:bootpc -j DROP 
iptables -A pudp -j slowrej 

## TCP rules 

# Enable services on an as-needed basis. 
# Template below includes most popular services. 
# Default rule (below) is to allow SSH and SNMP. 
# Everything else is your responsiblity. 


iptables -N ptcp 

iptables -A ptcp -p tcp --dport 161 -m state --state NEW -j ACCEPT #SNMP 
iptables -A ptcp -p tcp --dport 80 -m state --state NEW -j ACCEPT # HTTP 
iptables -A ptcp -p tcp --dport 443 -m state --state NEW -j ACCEPT # HTTPS 
#iptables -A ptcp -p tcp --dport 8443 -m state --state NEW -j ACCEPT # ALT_HTTPS 
iptables -A ptcp -p tcp --dport 21 -m state --state NEW -j ACCEPT # FTP 
iptables -A ptcp -p tcp --dport 22 -m state --state NEW -j ACCEPT # SSH 
iptables -A ptcp -p tcp --dport 2443 -m state --state NEW -j ACCEPT # Nodeworx 
iptables -A ptcp -p tcp --dport 2080 -m state --state NEW -j ACCEPT # Nodeworx 
iptables -A ptcp -p tcp --dport 25 -m state --state NEW -j ACCEPT # SMTP 
iptables -A ptcp -p tcp --dport 110 -m state --state NEW -j ACCEPT # POP3
iptables -A ptcp -p tcp --dport 995 -m state --state NEW -j ACCEPT #POP3S
iptables -A ptcp -p tcp --dport 143 -m state --state NEW -j ACCEPT #IMAP2
iptables -A ptcp -p tcp --dport 993 -m state --state NEW -j ACCEPT #IMAPS
iptables -A ptcp -p tcp --dport 3306 -m state --state NEW -j ACCEPT #MySQL
iptables -A ptcp -p tcp --dport 53 -m state --state NEW -j ACCEPT # DNS (tcp) 
iptables -A ptcp -p tcp --dport 10000 -m state --state NEW -j ACCEPT # webmin (tcp) 
iptables -A ptcp -p tcp --dport 3333 -m state --state NEW -j ACCEPT # ntop (tcp)
iptables -A ptcp -p tcp --dport 6667 -m state --state NEW -j ACCEPT # IRCD
iptables -A ptcp -p tcp --dport 6668 -m state --state NEW -j ACCEPT # IRCD
iptables -A ptcp -p tcp --dport 7000 -m state --state NEW -j ACCEPT # HUB IRCD

iptables -A ptcp -j slowrej 

## ICMP rules 
iptables -N picmp 
iptables -A picmp -p icmp -m limit --limit 2/sec --limit-burst 2 --icmp-type echo-request -j ACCEPT 
iptables -A picmp -j DROP 

# INPUT chain: Anything over loopback, and anything found in the state matching 
# system is accepted. 
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A INPUT -i lo -j ACCEPT 
# If you have constant abusers, block them permanently by CIDR thus: 
# iptables -A INPUT -s 192.168.1.0/24 -j rej 
# 
# For particularly abusive servers or brain-dead software that keeps trying 
# even with rej, try this instead: 
#iptables -A INPUT -s 192.168.1.0/24 -j DROP 
iptables -A INPUT -p udp -j pudp 
iptables -A INPUT -p tcp -j ptcp 
iptables -A INPUT -p icmp -j picmp

I’m not sure to have to open the 2080 port (nodeworx ???) and the 3306 (mysql) port.

Ok so stop me if I’m saying something bad :

I run the script then do iptables-save and copy the output in /etc/sysconfig/iptables

Right ?

Any comments on this script would be welcome

Do I absolutly have to reboot my box ?

Thanks
Pascal