mvtimes
asked on
Is this a good start for iptables on a web server?
Hello everyone,
For the past two days I've been looking into how to set up iptables for a linux machine that acts as a web server, processes email, and also needs FTP and SSH access. I'm wondering if what I have put together to set iptables is enough, and/or, going to impede the server's functions at all. It's a basic LAMP setup. I'm also wondering if the order of the rules is basically correct.
I think it's close, but my main concerns are PHP, MySQL, email and FTP running. Do PHP and MySQL communicate on the localhost level, or do other ports (3306) need to be added? Is there anything I've overlooked that should also be added?
Is sendmail in the INPUT necessary? (I couldn't figure that one out)
Putting together and editing from several resources online, this is what I've come up with:
Any assistance is greatly appreciated.
Thank you for your time.
For the past two days I've been looking into how to set up iptables for a linux machine that acts as a web server, processes email, and also needs FTP and SSH access. I'm wondering if what I have put together to set iptables is enough, and/or, going to impede the server's functions at all. It's a basic LAMP setup. I'm also wondering if the order of the rules is basically correct.
I think it's close, but my main concerns are PHP, MySQL, email and FTP running. Do PHP and MySQL communicate on the localhost level, or do other ports (3306) need to be added? Is there anything I've overlooked that should also be added?
Is sendmail in the INPUT necessary? (I couldn't figure that one out)
Putting together and editing from several resources online, this is what I've come up with:
#!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
iptables -F
#
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
#
iptables -A INPUT -s 12.34.56.78 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 98.76.54.0/24 -p tcp --dport 22 -j ACCEPT
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# Set access for localhost
#
iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# FTP
iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT
#
# HTTP/Apache
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#
# SSL/Apache
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#
# POP3
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
#
# Sendmail
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
#
# DirectAdmin
iptables -A INPUT -s 12.34.56.78 -p tcp --dport 2222 -j ACCEPT
iptables -A INPUT -s 98.76.54.0/24 -p tcp --dport 2222 -j ACCEPT
#
# ICMP/Ping:
iptables -A INPUT -p icmp -j ACCEPT
#
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT
#
# Save settings
#
/sbin/service iptables save
#
# List rules
#
iptables -L -v
Any assistance is greatly appreciated.
Thank you for your time.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes that is correct , it will have all required port configurations added by default at end of installation steps given in this URL , you can further manage it from directadmin gui when required.
1. MySQL can work with pipe files, no 3306 needed, however, you can change the listening IP to 127.0.0.1 to prevent problem.
2. try change ssh and ftp to other port numbers if possible
3. change PermitRootLogin to no in /etc/ssh/sshd_config and use sudo all the time.
4. Firewall is not actually important, use netstat -lpn to see how many listening ports that you are not using and shutdown the service using chkconfig or update-rc
5. route your syslog to another machine if possible
2. try change ssh and ftp to other port numbers if possible
3. change PermitRootLogin to no in /etc/ssh/sshd_config and use sudo all the time.
4. Firewall is not actually important, use netstat -lpn to see how many listening ports that you are not using and shutdown the service using chkconfig or update-rc
5. route your syslog to another machine if possible
ASKER
Thank you. Even though I think I had the iptables rules correct, CSF made getting the firewall configured much easier, and LFD is helpful to have too.
ASKER
We have DirectAdmin control panel, so regarding CSF, it seems that running the install as laid out here, http://configserver.com/free/csf/install.txt would be all that I'd have to do, correct?