Hi,

I'm trying to setup iptables as a firewall for my web hosting server but not sure what to put in the rules.

I'm asking if anybody would share the basic (web hosting) rules that you have for your server so I can follow to get started.

Thanks for your help.

Well, I don't have specific rules. But the general rules is: Deny everything, then open up the ports/IPs for only the service you need.

Don't forget to grant yourself SSH access first, or else you would have locked yourself out of the server.

Peter

Originally posted by wizital
Hi,

I'm trying to setup iptables as a firewall for my web hosting server but not sure what to put in the rules.

I'm asking if anybody would share the basic (web hosting) rules that you have for your server so I can follow to get started.

Thanks for your help. I created an iptables script and placed it in the public domain. Check it out here:

http://www.geocities.com/steve93138/

Just a suggestion. Too many rules and hacks to build a IPTABLES firewall by yourself use the open-source community to you advantage.

one I use allot is the gShield firewall. (Search on Google to find) It is really easy to setup and helps you back into the IPTABLES config.

Lots of developers building firewall = very safe rules :)

Hope this helps

Thanks a lot guys.

steve93138: I have whm/cpanel so I guess I need to open other ports.

gngit: I'll play with gShield and see how it'd go.

Thanks again.

Originally posted by steve93138
I created an iptables script and placed it in the public domain. Check it out here:

http://www.geocities.com/steve93138/

Let say I have 64.190.31.x and 64.190.32.x
Under your subnet_broadcast, should/can I enter two entries?

Thanks.

What are your subnet masks?

It's 255.255.255.0

Thanks.

Originally posted by wizital
It's 255.255.255.0Originally posted by wizital
Let say I have 64.190.31.x and 64.190.32.x
Under your subnet_broadcast, should/can I enter two entries? Is this a theoretical question? :)

The reason I ask is because if your subnet mask is 255.255.255.0 then you can't have two IP's such as 64.190.31.x and 64.190.32.x on the same subnet. Therefore, if your subnet mask is 255.255.255.0 then your subnet broadcast address is most likely xxx.xxx.xxx.255.

To answer your question though, the script is not setup for more than one entry in this variable because it's not needed.

well i got the same here...
my main ip is: xxx.xxx.251.xxx
and all my others are xxx.xxx.236.xxx
so one bcast is: xxx.xxx.251.255
and the other is: xxx.xxx.236.255
what do i have to change in the script, to get that running?
(don't wanna try, and lock myself out ;))

thanks!

greets,

Howdy folks,

Because of your input, I just updated "KISS My Firewall" to version 1.2. It includes support for multiple subnet base and broadcast addresses:

http://www.geocities.com/steve93138/

How do you allow ping on one/multiple IPs?

Thanks a lot.
You rock, steve93138!!!

Great script steve:D :D :D .

Is it possible to permanently allow several remote IP's to connect to the server via tcp/udp ports ports in your script so that they will never be dropped? Thanks.

I just tried running the script but I got the following errors :

root@host [/kiss]# ./kiss.sh
iptables v1.2.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
./kiss.sh: /proc/sys/net/ipv4/tcp_syncookies: No such file or directory

I couldn't find tcp_syncookies on my Linux RH 7.3 server.

And what to do about the nat error?

insmod iptables.o should fix the problem ;)

Originally posted by JonL
insmod iptables.o should fix the problem ;)

I tried it, but I get :

insmod: iptables.o: No such file or directory

Also what is the purpose of tcp_syncookies ?

The firewall seems to work fine anyway though :)

I've tried it on a CPanel server (added the additional CPanel ports in the script)

But when I log on to WHM and try to update WHM themes for example it fails because of an an rsync IO error.

Updating Xskin.... rsync: failed to connect to rsync.cpanel.net: Connection timed out rsync error: error in socket IO (code 10) at clientserver.c(89) Done