My current iptable configuration doesn't work [on hold]
Posted
by
Brad
on Server Fault
See other posts from Server Fault
or by Brad
Published on 2014-05-28T05:03:50Z
Indexed on
2014/05/28
9:32 UTC
Read the original article
Hit count: 739
iptables
sudo chkconfig iptables off
/etc/init.d/iptables on
### Clear/flush iptables
sudo iptables -F
sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
### Allow SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
### Allow YUM updates
sudo iptables -A OUTPUT -o eth0 -p tcp --dport 80 --match owner --uid-owner 0 --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp --dport 443 --match owner --uid-owner 0 --state NEW,ESTABLISHED -j ACCEPT
### Add your rules form the link above, here
# ftp,smtp,imap,http,https,pop3,imaps,pop3s
sudo iptables -A INPUT -i eth0 -p tcp -m multiport --dports 21,25,143,80,443,110,993,995 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 21,25,143,80,110,443,993,995 -m state --state NEW,ESTABLISHED -j ACCEPT
## allow dns
sudo iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT && sudo iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
# handling pings
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT && sudo iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
sudo iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT && sudo iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# manage ddos attacks
sudo iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
## Implement some logging so that we know what's getting dropped
sudo iptables -N LOGGING
sudo iptables -A INPUT -j LOGGING
sudo iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
sudo iptables -A LOGGING -j DROP
# once a rule affects traffic then it is no longer managed
# so if the traffic has not been accepted, block it
sudo iptables -A INPUT -j DROP
sudo iptables -I INPUT 1 -i lo -j ACCEPT
sudo iptables -A OUTPUT -j DROP
# allow only internal port forwarding
sudo iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
sudo iptables -P FORWARD DROP
# create an iptables config file
sudo iptables-save > /root/dsl.fw
### Append the following to the rc.local file
sudo nano /etc/rc.local
####---
/sbin/iptables-restore < sudo /root/dsl.fw
####---
/etc/init.d/iptables save
## check to see if this setting is working great.
sudo service iptables restart
## log out/in testing
sudo chkconfig iptables on
What is the problem with this setup?
If I restart the server it doesn't allow me back in SSH, and there may be a problem with Yum
Original source of information: https://gist.github.com/Jonathonbyrd/1274837#file-instructions
© Server Fault or respective owner