Scott Miller wrote:
Thanks for the suggestions - I now have the following, combining two replies
I received. I will implement this afternoon and see what happens. I am
also using Webmin to moidify the /etc/sysconfig/iptables file. If anyone
sees anything wrong - please let me know. My goal is to lock down
everything except for the mentioned ports. Thanks for your help.
*mangle
:PREROUTING ACCEPT [6:948]
:INPUT ACCEPT [6:948]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7:3269]
:POSTROUTING ACCEPT [7:3269]
COMMIT
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# MODIFIED APRIL 27 2009 11:01AM
# TALKING TO OURSLEVES IS ALLOWED
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -i lo -j ACCEPT
# ALLOW THE FOLLOWING TCP PROTOCOLS HTTP, SSH, DNS, WEBMIN, SMTP, POP3,
IMAP, RSYNC-TCP
-A INPUT -p tcp -m multiport -m state --state NEW,ESTABLISHED -j ACCEPT
--dports 22,25,53,80,110,873,993,10000
# ALLOW THE FOLLOWING UDP PROTOCOLS TIME, RSYNC-UDP
-A INPUT -p UDP -m multiport -m state --state NEW,ESTABLISHED -j ACCEPT
--dports 123,873
if you're going to serve dns you must open port 53 to udp
# DENY ALL OTHERS ETH0
-A INPUT -i eth0 -j DROP
# DENY ALL OTHERS ETH0:1
-A INPUT -i eth0:1 -j DROP
iptables won't accept an alias. Besides, the previous rule already
covers the physical device. if you set the INPUT chain's default policy
to DROP you don't need either of the above rules.
also consider that you are not allowing RELATED traffic. for some
services that is a deal-breaker.
some additional notes:
some outsiders use the ident port (113) to probe for valid users; if you
don't reset those you could see 30 second delays waiting for the ident
to fail. i seem to remember that it impacted mail severely. by
resetting those you save time and they get no revealing information out
of you.
you may also want to rate limit the number of attempts from the same IP
to connect to SSH or you WILL get hammered. If you search the archives
I think *Joanne Dow* posted an example of how to do so.
COMMIT
Here is a version that may do what you want:
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22,25,53,80,110,873,993,10000 -m
state --state NEW -j ACCEPT
-A INPUT -p udp -m multiport --dports 53,123,873 -m state --state NEW -j
ACCEPT
-A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
COMMIT
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html