Search This Blog

Wednesday, February 15, 2012

Re: Iptables example for mail/web/opevpn server

Hello,

Arturo Borrero Gonzalez a écrit :
> 2012/2/15 Raven <raven@vp44.net>:
>> I need some help in designing a simple iptables ruleset for a small
>> server I have recently set up.
>>
>> It's a VPS so the primary interface is venet0 with a public ip. The
>> server also runs an openvpn daemon with a 172.16.0.0/24 subnet.
>>
>> There is obviously no need for NAT or packet forwarding. All outbound
>> traffic should be allowed while inbound data is to be accepted only on
>> ports 80, 443, 25, 587 and 1194 (tcp,udp).
>>
>> Could you give me a rough idea of what a firewall script should look
>> like?
>
> Depending on what kind of complexity you want, you could use a few
> iptables lines added at some place like /etc/rc... or somewhere..
>
> like: (this one is valid)
>
> ## flush old rules
> iptables -F
> # rules
> iptables -t filter -A INPUT -i venet0 -d your_public_ip \
> -p tcp --sport 1024: -m multiport --dports 80,443,25,587 \
> -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -t filter -A INPUT -i venet0 -d your_ip \
> -p udp --sport 1024: --dport 1194 \
> -m state --state NEW,ESTABLISHED -j ACCEPT
> # default policy
> iptables -P OUTPUT ACCEPT
> iptables -P INPUT DROP
> ##

Some parts are missing.
- Port 1194 (openvpn) should be accepted for TCP too.
- Local host traffic on the loopback interface should be accepted.
iptables -A INPUT -i lo -j ACCEPT

- Incoming return traffic for outgoing connections (e.g. DNS replies)
should be accepted.
- Incoming related ICMP messages should be accepted. You want to know
about network problems such as when a host is unreachable or a packet is
too big, don't you ?

For those two requirements, just add the usual rule :
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

And you can remove the now redundant ESTABLISHED state from other rules.
Note that you can also remove the whole state match in the UDP rule as a
UDP packet cannot be in the INVALID state (UDP has no real state).

- Some incoming traffic (TBD) on the tunnel interface created by openvpn
should probably be accepted too, otherwise the VPN won't be very useful.

> · Ipv6 use, or support?

Just use the same commands with ip6tables instead of iptables.


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/4F3C0883.4070407@plouf.fr.eu.org

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)