Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Is this a good start for iptables on a web server?

Posted on 2011-09-13
Medium Priority
Last Modified: 2012-08-13
Hello everyone,

For the past two days I've been looking into how to set up iptables for a linux machine that acts as a web server, processes email, and also needs FTP and SSH access. I'm wondering if what I have put together to set iptables is enough, and/or, going to impede the server's functions at all. It's a basic LAMP setup. I'm also wondering if the order of the rules is basically correct.

I think it's close, but my main concerns are PHP, MySQL, email and FTP running. Do PHP and MySQL communicate on the localhost level, or do other ports (3306) need to be added? Is there anything I've overlooked that should also be added?
Is sendmail in the INPUT necessary? (I couldn't figure that one out)

Putting together and editing from several resources online, this is what I've come up with:

# iptables example configuration script
# Flush all current rules from iptables
 iptables -F
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
 iptables -A INPUT -s -p tcp --dport 22 -j ACCEPT
 iptables -A INPUT -s -p tcp --dport 22 -j ACCEPT
# Set default policies for INPUT, FORWARD and OUTPUT chains
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
# Set access for localhost
 iptables -A INPUT -i lo -j ACCEPT
# Accept packets belonging to established and related connections
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT
# HTTP/Apache
 iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# SSL/Apache
 iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# POP3
 iptables -A INPUT -p tcp --dport 110 -j ACCEPT
# Sendmail
 iptables -A INPUT -p tcp --dport 25 -j ACCEPT
# DirectAdmin
 iptables -A INPUT -s -p tcp --dport 2222 -j ACCEPT
 iptables -A INPUT -s -p tcp --dport 2222 -j ACCEPT
# ICMP/Ping:
 iptables -A INPUT -p icmp -j ACCEPT
 iptables -A INPUT -j REJECT
 iptables -A FORWARD -j REJECT
# Save settings
 /sbin/service iptables save
# List rules
 iptables -L -v

Open in new window

Any assistance is greatly appreciated.

Thank you for your time.
Question by:mvtimes
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

RizyDeWino earned 2000 total points
ID: 36532429
The settings look fine in general and you do need to have 25 port open if its running mail server as users will be connecting to this port to send email from their end, and also for server sending mail out the outbound port need to be opened as well. For ftp you will probably need to add a passive ports range to firewall and ftp configuration depending on your setup.
For MySQL if you would be allowing remote MySQL connections for your clients, then you will need to have 3306 opened for it as well.

But before checking iptables rules in more depth, I would like to ask that have you considered using CSF firewall instead ?  http://configserver.com/cp/csf.html  ,

Its best firewall for cPanel or DirectAdmin servers/vps in my opinion. Gives you lot of options/features, GUI management and makes overall firewall maintenance lot easier for you. So before you go a head with direct iptables rules management route, do check csf firewall, with all its cool features the additional advantage is that its free.

Author Comment

ID: 36533030
I was just looking to use what was already there. I'm admining this machine remotely, and I'm not that versed in linux so, using what I already had seemed to be the easier/quicker way.

We have DirectAdmin control panel, so regarding CSF, it seems that running the install as laid out here, http://configserver.com/free/csf/install.txt would be all that I'd have to do, correct?

Expert Comment

ID: 36533102
Yes that is correct , it will have all required port configurations added by default at end of installation steps given in this URL , you can further manage it from directadmin gui when required.
Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?


Expert Comment

ID: 36533419
If iptables is a trouble for you try this: http://www.fwbuilder.org/

Expert Comment

ID: 36534838
1. MySQL can work with pipe files, no 3306 needed, however, you can change the listening IP to to prevent problem.
2. try change ssh and ftp to other port numbers if possible
3. change PermitRootLogin to no in /etc/ssh/sshd_config and use sudo all the time.
4. Firewall is not actually important, use netstat -lpn to see how many listening ports that you are not using and shutdown the service using chkconfig or update-rc
5. route your syslog to another machine if possible

Author Closing Comment

ID: 36546674
Thank you. Even though I think I had the iptables rules correct, CSF made getting the firewall configured much easier, and LFD is helpful to have too.

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question