| 1 |
Hi all, |
| 2 |
|
| 3 |
Ok, I'm setting up a new server, and I'd like to rethink my iptables rules. |
| 4 |
|
| 5 |
I'd like to start with something fairly simple: |
| 6 |
|
| 7 |
1. Allow connections from anywhere ONLY to certain ports |
| 8 |
|
| 9 |
ie, for encrypted IMAP/SMTP connections from users |
| 10 |
|
| 11 |
2. Allow connections from only certain IP addresses to certain ports |
| 12 |
|
| 13 |
ie, for limiting SSH access |
| 14 |
|
| 15 |
3. DROP ALL other connection attempts |
| 16 |
|
| 17 |
ie, I don't want to see these disallowed attempts in the logs |
| 18 |
|
| 19 |
In order to keep my rules more manageable, I have a commented text file |
| 20 |
that I manually edit whenever modifying my rules, then I do an |
| 21 |
'iptables-restore < /path/to/iptables-rules' to update them. |
| 22 |
|
| 23 |
My first question is about a trick I learned some time ago (but don't |
| 24 |
remember where)... |
| 25 |
|
| 26 |
For the ports for which I want to allow only restricted access, I have |
| 27 |
something like: |
| 28 |
|
| 29 |
####################### |
| 30 |
# bgn exceptions blocks |
| 31 |
####################### |
| 32 |
:f_22_I - [0:0] |
| 33 |
:f_25_I - [0:0] |
| 34 |
:f_22_O - [0:0] |
| 35 |
:f_25_O - [0:0] |
| 36 |
|
| 37 |
Am I correct that the above are what are called 'chains' in iptables speak? |
| 38 |
|
| 39 |
# |
| 40 |
### allow connections only from the following IP's |
| 41 |
# |
| 42 |
## SSH |
| 43 |
# |
| 44 |
# my local admin hosts |
| 45 |
-A f_22_I -s ###.###.###.### -j ACCEPT |
| 46 |
-A f_22_I -s ###.###.###.### -j ACCEPT |
| 47 |
-A f_22_I -s ###.###.###.### -j ACCEPT |
| 48 |
-A f_22_I -s ###.###.###.### -j ACCEPT |
| 49 |
-A f_22_I -s ###.###.###.### -j ACCEPT |
| 50 |
# |
| 51 |
# external hosts |
| 52 |
-A f_22_I -s ###.###.###.### -j ACCEPT |
| 53 |
-A f_22_I -s ###.###.###.### -j ACCEPT |
| 54 |
|
| 55 |
And am I also correct that the above adds each rule to the named chain |
| 56 |
in order, and that the order is significant? |
| 57 |
|
| 58 |
So, if I wanted to add a last rule to that chain that DROPs all other |
| 59 |
connection attempts, it would be just: |
| 60 |
|
| 61 |
-A f_22_I -j DROP |
| 62 |
|
| 63 |
? |
| 64 |
|
| 65 |
Then... assuming that I have all of the specific rules after these set |
| 66 |
up to allow just the traffic I want, and I wanted to add a final rule |
| 67 |
that just silently DROPped all other inbound connection attempts, it |
| 68 |
would be: |
| 69 |
|
| 70 |
-A INPUT -j DROP |
| 71 |
|
| 72 |
? |
| 73 |
|
| 74 |
Thanks... |
Archives