1 |
Hi all, |
2 |
|
3 |
Ok, I'm setting up a new server, and I'd like to rethink my iptables rules. |
4 |
|
5 |
I'd like to start with something fairly simple: |
6 |
|
7 |
1. Allow connections from anywhere ONLY to certain ports |
8 |
|
9 |
ie, for encrypted IMAP/SMTP connections from users |
10 |
|
11 |
2. Allow connections from only certain IP addresses to certain ports |
12 |
|
13 |
ie, for limiting SSH access |
14 |
|
15 |
3. DROP ALL other connection attempts |
16 |
|
17 |
ie, I don't want to see these disallowed attempts in the logs |
18 |
|
19 |
In order to keep my rules more manageable, I have a commented text file |
20 |
that I manually edit whenever modifying my rules, then I do an |
21 |
'iptables-restore < /path/to/iptables-rules' to update them. |
22 |
|
23 |
My first question is about a trick I learned some time ago (but don't |
24 |
remember where)... |
25 |
|
26 |
For the ports for which I want to allow only restricted access, I have |
27 |
something like: |
28 |
|
29 |
####################### |
30 |
# bgn exceptions blocks |
31 |
####################### |
32 |
:f_22_I - [0:0] |
33 |
:f_25_I - [0:0] |
34 |
:f_22_O - [0:0] |
35 |
:f_25_O - [0:0] |
36 |
|
37 |
Am I correct that the above are what are called 'chains' in iptables speak? |
38 |
|
39 |
# |
40 |
### allow connections only from the following IP's |
41 |
# |
42 |
## SSH |
43 |
# |
44 |
# my local admin hosts |
45 |
-A f_22_I -s ###.###.###.### -j ACCEPT |
46 |
-A f_22_I -s ###.###.###.### -j ACCEPT |
47 |
-A f_22_I -s ###.###.###.### -j ACCEPT |
48 |
-A f_22_I -s ###.###.###.### -j ACCEPT |
49 |
-A f_22_I -s ###.###.###.### -j ACCEPT |
50 |
# |
51 |
# external hosts |
52 |
-A f_22_I -s ###.###.###.### -j ACCEPT |
53 |
-A f_22_I -s ###.###.###.### -j ACCEPT |
54 |
|
55 |
And am I also correct that the above adds each rule to the named chain |
56 |
in order, and that the order is significant? |
57 |
|
58 |
So, if I wanted to add a last rule to that chain that DROPs all other |
59 |
connection attempts, it would be just: |
60 |
|
61 |
-A f_22_I -j DROP |
62 |
|
63 |
? |
64 |
|
65 |
Then... assuming that I have all of the specific rules after these set |
66 |
up to allow just the traffic I want, and I wanted to add a final rule |
67 |
that just silently DROPped all other inbound connection attempts, it |
68 |
would be: |
69 |
|
70 |
-A INPUT -j DROP |
71 |
|
72 |
? |
73 |
|
74 |
Thanks... |