Results 1 to 4 of 4
  1. #1
    Join Date
    Jun 2001
    Location
    Gilroy CA.
    Posts
    466

    Really simple VPS firewall

    Some times simple is better. Here's a dirt simple script I wrote myself. Basically you put IP addresses or host mames in the white list and those IPs are open on all ports. Then you specify the ports you want to expose to the world with PORTSALLOWED. Everything else gets dropped.

    One thing to make sure you do is that the IP address you are using to to SSH into your VPS must be white listed or you will lock yourself out. You will only be able to SSH in from white listed IP addresses. But - your SSH is protected because everyone else can't connect at all.


    #!/bin/sh
    #
    # Firewall Rules = by Marc Perkel - Free under GPL 2
    # http://www.junkemailfilter.com - [email protected]
    # This section provides a front end to pre-filter traffic coming in.

    WHITELIST="localhost bigdog newton pascal euclid darwin"
    PORTSALLOWED="25 53 80"

    # --- Clear the IP Tables

    echo
    echo "-------- Loading IP Tables Firewall --------"
    echo "# Script: /etc/rc.d/rc.firewall"
    echo
    echo "# Clearing IP Tables"
    echo

    iptables -v -F
    iptables -v -t nat -F

    echo
    echo "# Accept all connection from these addresses"
    echo

    for ipaddress in $WHITELIST; do
    iptables -v -A INPUT -t filter -s $ipaddress -j ACCEPT
    done

    echo
    echo "# Accept only these allowed ports"
    echo

    for port in $PORTSALLOWED; do
    iptables -v -A INPUT -t filter -p tcp --dport $port -j ACCEPT
    done

    #echo
    #echo "# Drop all other traffic"
    #echo

    iptables -v -A INPUT -t filter -p tcp --syn -j DROP
    Marc Perkel
    /root
    http://www.junkemailfilter.com
    [email protected]

  2. #2
    Join Date
    Oct 2006
    Location
    New York, NY
    Posts
    1,034
    Quote Originally Posted by mperkel
    Some times simple is better. Here's a dirt simple script I wrote myself. Basically you put IP addresses or host mames in the white list and those IPs are open on all ports. Then you specify the ports you want to expose to the world with PORTSALLOWED. Everything else gets dropped.

    One thing to make sure you do is that the IP address you are using to to SSH into your VPS must be white listed or you will lock yourself out. You will only be able to SSH in from white listed IP addresses. But - your SSH is protected because everyone else can't connect at all.


    #!/bin/sh
    #
    # Firewall Rules = by Marc Perkel - Free under GPL 2
    # http://www.junkemailfilter.com - [email protected]
    # This section provides a front end to pre-filter traffic coming in.

    WHITELIST="localhost bigdog newton pascal euclid darwin"
    PORTSALLOWED="25 53 80"

    # --- Clear the IP Tables

    echo
    echo "-------- Loading IP Tables Firewall --------"
    echo "# Script: /etc/rc.d/rc.firewall"
    echo
    echo "# Clearing IP Tables"
    echo

    iptables -v -F
    iptables -v -t nat -F

    echo
    echo "# Accept all connection from these addresses"
    echo

    for ipaddress in $WHITELIST; do
    iptables -v -A INPUT -t filter -s $ipaddress -j ACCEPT
    done

    echo
    echo "# Accept only these allowed ports"
    echo

    for port in $PORTSALLOWED; do
    iptables -v -A INPUT -t filter -p tcp --dport $port -j ACCEPT
    done

    #echo
    #echo "# Drop all other traffic"
    #echo

    iptables -v -A INPUT -t filter -p tcp --syn -j DROP
    Cool script Marc, thanks, I think it will definately help those out that just have a basic VPS with no control panel.

    On the other hand though, did you know, in Plesk, when you configure the firewall (Plesk->Modules->Firewall), it actually generates said script above, with your exact settings based on the GUI config?

    -Sean

  3. #3
    Join Date
    Jun 2001
    Location
    Gilroy CA.
    Posts
    466
    Yeah - but I got the FC5 so the Plesk doesn't work. I might like to see that at some point if you get an FC5 version working.
    Marc Perkel
    /root
    http://www.junkemailfilter.com
    [email protected]

  4. #4
    Join Date
    Oct 2006
    Location
    New York, NY
    Posts
    1,034
    Quote Originally Posted by mperkel
    Yeah - but I got the FC5 so the Plesk doesn't work. I might like to see that at some point if you get an FC5 version working.
    Actually we don't have Plesk on FC5 because since we use x64 machines, there is no Plesk version for FC5 x64, only for FC4 x64.

    However, I belive Plesk v8.1 just came out today. I have to see if they finally have a Plesk for FC5 x64.

    -Sean

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •