Halaman

Rabu, 26 Februari 2014

IPTables

Here is our iptable rules:

#Name Servers
DNS1=""
DNS2=""

#Default Deny
iptables -P INPUT DROP
iptables -P OUTPUT DROP

#Allow Loopback
iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

#Deny Bad Pckets
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

#Deny Packets from Invalid Address Space
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP

#Allow ICMP(Ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

#Allow DNS
iptables -A OUTPUT -p udp --sport 1024:65535 -d $DNS1 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s $DNS1 --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p udp --sport 1024:65535 -d $DNS2 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s $DNS2 --sport 53 --dport 1024:65535 -j ACCEPT

iptables -A INPUT -i eth0 -p UDP --sport domain -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport domain -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p UDP --dport domain -m state --state NEW,ESTABLISHE D -j ACCEPT
iptables -A OUTPUT -o eth0 -p TCP --dport domain -m state --state NEW,ESTABLISHE D -j ACCEPT

## Allow Selective Inbound Connections

#DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 53 --dport 1024:65535 -j ACCEPT

#HTTP (Web Server)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 --dport 1024:65535 -j ACCEPT

#HTTPS (Web Server)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 --dport 1024:65535 -j ACCEPT

#FTP
iptables -A INPUT -p tcp --dport 21 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000:3100 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3000:3100 --dport 1024:65535 -j ACCEPT

#SSH
iptables -A INPUT -p tcp --dport 4777 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 4777 --dport 1024:65535 -j ACCEPT

#SMTP
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 25 --dport 1024:65535 -j ACCEPT

#Secure SMTP
iptables -A INPUT -p tcp --dport 465 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 465 --dport 1024:65535 -j ACCEPT

#IMAP
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 143 --dport 1024:65535 -j ACCEPT

#Secure IMAP
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 993 --dport 1024:65535 -j ACCEPT

#POP3
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 110 --dport 1024:65535 -j ACCEPT

#Secure POP3
iptables -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 995 --dport 1024:65535 -j ACCEPT

#cPanel
iptables -A INPUT -p tcp --dport 2082 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2082 --dport 1024:65535 -j ACCEPT

#Secure cPanel
iptables -A INPUT -p tcp --dport 2083 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2083 --dport 1024:65535 -j ACCEPT

#Web Host Manager
iptables -A INPUT -p tcp --dport 2086 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2086 --dport 1024:65535 -j ACCEPT

#Secure Web Host Manager
iptables -A INPUT -p tcp --dport 2087 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2087 --dport 1024:65535 -j ACCEPT

iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 2087 -j ACCEPT

#Webmail
iptables -A INPUT -p tcp --dport 2095 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2095 --dport 1024:65535 -j ACCEPT

#Secure Webmail
iptables -A INPUT -p tcp --dport 2096 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2096 --dport 1024:65535 -j ACCEPT

## Allow Selective Outbound Connections

#SMTP
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --sport 25 --dport 1024:65535 -j ACCEPT

#HTTP
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 --dport 1024:65535 -j ACCEPT

#HTTPS
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 --dport 1024:65535 -j ACCEPT

#cPanel Licensing
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 2089 -j ACCEPT
iptables -A INPUT -p tcp --sport 2089 --dport 1024:65535 -j ACCEPT

#WHOIS
iptables -A OUTPUT -p udp --sport 1024:65535 --dport 43 -j ACCEPT
iptables -A INPUT -p udp --sport 43 --dport 1024:65535 -j ACCEPT

any ideas what we need to change?
Diposting oleh
Label:

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)