Hello
Continuing to secure my box, I’d like to know if you could provide a generic iptables configuration script for RH9 with nodeworx/siteworx
I’ll add other services (out of nodeworx services) in this one (for example ircd)
Thanks
Squalito
Hello
Continuing to secure my box, I’d like to know if you could provide a generic iptables configuration script for RH9 with nodeworx/siteworx
I’ll add other services (out of nodeworx services) in this one (for example ircd)
Thanks
Squalito
so ??? Paul ? Chris ?
well, this thread has really no success :-p
In fact all my threads about box security as no success.
snif snif
Maybe better lucky a next time
@+++
Pascal
squalito,
I apologize, we’ve just been busy with this release. Any basic iptables script will do that blocks all ports, and then selectively adds ports that are needed. For InterWorx-CP itself you’ll need 2443 open and if you want web/email/ssh/ftp open those ports can all be found in /etc/services.
We will at some point provide a standard baseline iptables script but have so far left it up to the server owner.
Chris
No pbm for the delay.
What I propose you is to provide a script here before installing it and wait for your comments
Just in case of :-p
Pascal
Sagonet has a general IPtables script posted on their forum.
http://www.sagonet.com/forums/viewtopic.php?t=18&highlight=iptables
Thank you lost
Ok here is the script I made helping me from the sago script
#!/bin/bash
set -e
# Caution! Once this firewall is active,
# changes will almost certainly require a reboot,
# or at least console (the network will be unavailable).
# Load IRC & FTP modules for use behind a NAT. Usually not necessary.
modprobe ip_conntrack_ftp
# Flush rules
iptables -F
iptables -X
iptables -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
# rp_filter
for f in /proc/sys/net/ipv4/conf/*; do
echo 1 > $f/rp_filter
echo 0 > $f/accept_source_route
echo 0 > $f/accept_redirects
done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/tcp_ecn
echo 0 > /proc/sys/net/ipv4/ip_forward
# Set chain defaults
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
## Okay, the rules
# Rejects go here
iptables -N rej
iptables -A rej -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A rej -p tcp -j REJECT --reject-with tcp-reset
iptables -A rej -j DROP
# Slow reject is our packet limiter.
iptables -N slowrej
iptables -A slowrej -m limit --limit 12/min --limit-burst 2 -j rej
iptables -A slowrej -j DROP
## UDP rules
iptables -N pudp
iptables -A pudp -p udp --dport 53 -j ACCEPT # DNS (udp)
iptables -A pudp -p udp --dport 161 -j ACCEPT # SNMP (udp)
iptables -A pudp -p udp --dport bootps:bootpc -j DROP
iptables -A pudp -j slowrej
## TCP rules
# Enable services on an as-needed basis.
# Template below includes most popular services.
# Default rule (below) is to allow SSH and SNMP.
# Everything else is your responsiblity.
iptables -N ptcp
iptables -A ptcp -p tcp --dport 161 -m state --state NEW -j ACCEPT #SNMP
iptables -A ptcp -p tcp --dport 80 -m state --state NEW -j ACCEPT # HTTP
iptables -A ptcp -p tcp --dport 443 -m state --state NEW -j ACCEPT # HTTPS
#iptables -A ptcp -p tcp --dport 8443 -m state --state NEW -j ACCEPT # ALT_HTTPS
iptables -A ptcp -p tcp --dport 21 -m state --state NEW -j ACCEPT # FTP
iptables -A ptcp -p tcp --dport 22 -m state --state NEW -j ACCEPT # SSH
iptables -A ptcp -p tcp --dport 2443 -m state --state NEW -j ACCEPT # Nodeworx
iptables -A ptcp -p tcp --dport 2080 -m state --state NEW -j ACCEPT # Nodeworx
iptables -A ptcp -p tcp --dport 25 -m state --state NEW -j ACCEPT # SMTP
iptables -A ptcp -p tcp --dport 110 -m state --state NEW -j ACCEPT # POP3
iptables -A ptcp -p tcp --dport 995 -m state --state NEW -j ACCEPT #POP3S
iptables -A ptcp -p tcp --dport 143 -m state --state NEW -j ACCEPT #IMAP2
iptables -A ptcp -p tcp --dport 993 -m state --state NEW -j ACCEPT #IMAPS
iptables -A ptcp -p tcp --dport 3306 -m state --state NEW -j ACCEPT #MySQL
iptables -A ptcp -p tcp --dport 53 -m state --state NEW -j ACCEPT # DNS (tcp)
iptables -A ptcp -p tcp --dport 10000 -m state --state NEW -j ACCEPT # webmin (tcp)
iptables -A ptcp -p tcp --dport 3333 -m state --state NEW -j ACCEPT # ntop (tcp)
iptables -A ptcp -p tcp --dport 6667 -m state --state NEW -j ACCEPT # IRCD
iptables -A ptcp -p tcp --dport 6668 -m state --state NEW -j ACCEPT # IRCD
iptables -A ptcp -p tcp --dport 7000 -m state --state NEW -j ACCEPT # HUB IRCD
iptables -A ptcp -j slowrej
## ICMP rules
iptables -N picmp
iptables -A picmp -p icmp -m limit --limit 2/sec --limit-burst 2 --icmp-type echo-request -j ACCEPT
iptables -A picmp -j DROP
# INPUT chain: Anything over loopback, and anything found in the state matching
# system is accepted.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# If you have constant abusers, block them permanently by CIDR thus:
# iptables -A INPUT -s 192.168.1.0/24 -j rej
#
# For particularly abusive servers or brain-dead software that keeps trying
# even with rej, try this instead:
#iptables -A INPUT -s 192.168.1.0/24 -j DROP
iptables -A INPUT -p udp -j pudp
iptables -A INPUT -p tcp -j ptcp
iptables -A INPUT -p icmp -j picmp
I’m not sure to have to open the 2080 port (nodeworx ???) and the 3306 (mysql) port.
Ok so stop me if I’m saying something bad :
I run the script then do iptables-save and copy the output in /etc/sysconfig/iptables
Right ?
Any comments on this script would be welcome
Do I absolutly have to reboot my box ?
Thanks
Pascal