[colug-432] IPTABLES
Steve VanSlyck
s.vanslyck at postpro.net
Sun May 10 21:34:30 EDT 2015
I recently set up IPTBLES on my Digital Ocean Centos VPS. The rules I
set up are below.
Problem is, after setting and saving these rules, if I then issued
a flush command I would lose connectivity. Is this behaviour
expected? Here is what I did (note these are my notes, not contact
of a script file):
Flush all current rules: iptables -F Drop TCP reconnisance packets (tcp
null packets) iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
Reject syn flood attacks iptables -A INPUT -p tcp ! --syn -m state
--state NEW -j DROP Reject XMAS flood attacks iptables -A INPUT -p tcp
--tcp-flags ALL ALL -j DROP Accept traffing destined to localhost
iptables -A INPUT -i lo -j ACCEPT Open expected port for web (http) and
secure web (https) traffic iptables -A INPUT -p tcp -m tcp --dport 80 -j
ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT Open a port
for SSH traffic on port 22 [THIS PORT SHOULD BE
CHANGED!!!!!!!!!!!!!!!!!!!!!!!] iptables -A INPUT -p tcp -m tcp --dport
22 -j ACCEPT Open port 8000 for Ajenti iptables -A INPUT -p tcp -m state
--state NEW --dport 8000 -j ACCEPT iptables -A INPUT -p udp -m state
--state NEW --dport 8000 -j ACCEPT Open ports 4505 and 4506 if the
server is going to be a salt-master iptables -A INPUT -m state --state
new -m tcp -p tcp --dport 4505 -j ACCEPT iptables -A INPUT -m state
--state new -m tcp -p tcp --dport 4506 -j ACCEPT Accept incoming replies
from established outgoing connections iptables -I INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT Allow outgoing traffic iptables -P OUTPUT
ACCEPT Drop all incoming traffing which doesn't match a designated rule
iptables -P INPUT DROP
Save the rules (This executes the iptables init script, which runs
/sbin/iptables-save and writes the current iptables configuration to
/etc/sysconfig/iptables .) /sbin/service iptables save
===================result=========================
iptables -L -n Chain INPUT (policy DROP) target prot opt source
destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp --
0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 DROP tcp -- 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02 state NEW DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x3F ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp --
0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp --
0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8000 ACCEPT udp -- 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:8000 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:4505 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
dpt:4506 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 DROP tcp
-- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW DROP tcp --
0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F ACCEPT all -- 0.0.0.0/0
0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp --
0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8000 ACCEPT
udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:8000 ACCEPT tcp --
0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:4505 ACCEPT tcp -- 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:4506
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20150510/ac48ffb8/attachment.html
More information about the colug-432
mailing list