Results 1 to 17 of 17
-
10-30-2002, 01:36 PM #1Newbie
- Join Date
- Oct 2002
- Posts
- 23
Basic iptables rules for your server
Hi,
I'm trying to setup iptables as a firewall for my web hosting server but not sure what to put in the rules.
I'm asking if anybody would share the basic (web hosting) rules that you have for your server so I can follow to get started.
Thanks for your help.
-
10-30-2002, 03:08 PM #2Web Hosting Master
- Join Date
- May 2001
- Posts
- 1,593
Well, I don't have specific rules. But the general rules is: Deny everything, then open up the ports/IPs for only the service you need.
Don't forget to grant yourself SSH access first, or else you would have locked yourself out of the server.
Peter
-
10-30-2002, 04:46 PM #3Junior Guru Wannabe
- Join Date
- May 2001
- Posts
- 92
Re: Basic iptables rules for your server
Originally posted by wizital
Hi,
I'm trying to setup iptables as a firewall for my web hosting server but not sure what to put in the rules.
I'm asking if anybody would share the basic (web hosting) rules that you have for your server so I can follow to get started.
Thanks for your help.
http://www.geocities.com/steve93138/
-
10-30-2002, 07:44 PM #4New Member
- Join Date
- Oct 2002
- Posts
- 2
Use a pre-built tool for iptables
Just a suggestion. Too many rules and hacks to build a IPTABLES firewall by yourself use the open-source community to you advantage.
one I use allot is the gShield firewall. (Search on Google to find) It is really easy to setup and helps you back into the IPTABLES config.
Lots of developers building firewall = very safe rules
Hope this helps
-
10-31-2002, 10:26 AM #5Newbie
- Join Date
- Oct 2002
- Posts
- 23
Thanks a lot guys.
steve93138: I have whm/cpanel so I guess I need to open other ports.
gngit: I'll play with gShield and see how it'd go.
Thanks again..
-
10-31-2002, 06:22 PM #6Newbie
- Join Date
- Oct 2002
- Posts
- 23
Re: Re: Basic iptables rules for your server
Originally posted by steve93138
I created an iptables script and placed it in the public domain. Check it out here:
http://www.geocities.com/steve93138/
Under your subnet_broadcast, should/can I enter two entries?
Thanks.
-
11-01-2002, 02:09 AM #7Web Hosting Guru
- Join Date
- Jun 2002
- Location
- Silver Spring, Maryland
- Posts
- 256
What are your subnet masks?
-
11-02-2002, 12:10 PM #8Newbie
- Join Date
- Oct 2002
- Posts
- 23
It's 255.255.255.0
Thanks.
-
11-03-2002, 12:56 AM #9Junior Guru Wannabe
- Join Date
- May 2001
- Posts
- 92
Originally posted by wizital
It's 255.255.255.0Originally posted by wizital
Let say I have 64.190.31.x and 64.190.32.x
Under your subnet_broadcast, should/can I enter two entries?
The reason I ask is because if your subnet mask is 255.255.255.0 then you can't have two IP's such as 64.190.31.x and 64.190.32.x on the same subnet. Therefore, if your subnet mask is 255.255.255.0 then your subnet broadcast address is most likely xxx.xxx.xxx.255.
To answer your question though, the script is not setup for more than one entry in this variable because it's not needed.
-
11-03-2002, 02:15 PM #10Web Hosting Master
- Join Date
- Dec 2001
- Location
- Darmstadt, Germany
- Posts
- 1,096
well i got the same here...
my main ip is: xxx.xxx.251.xxx
and all my others are xxx.xxx.236.xxx
so one bcast is: xxx.xxx.251.255
and the other is: xxx.xxx.236.255
what do i have to change in the script, to get that running?
(don't wanna try, and lock myself out )
thanks!
greets,In just two days, tomorrow will be yesterday.
-
11-04-2002, 03:47 PM #11Junior Guru Wannabe
- Join Date
- May 2001
- Posts
- 92
Howdy folks,
Because of your input, I just updated "KISS My Firewall" to version 1.2. It includes support for multiple subnet base and broadcast addresses:
http://www.geocities.com/steve93138/
-
11-04-2002, 06:03 PM #12Newbie
- Join Date
- Oct 2002
- Posts
- 23
How do you allow ping on one/multiple IPs?
Thanks a lot.
You rock, steve93138!!!Last edited by wizital; 11-04-2002 at 06:59 PM.
-
11-16-2002, 11:05 PM #13WHT Addict
- Join Date
- Jul 2001
- Posts
- 145
Great script steve .
Is it possible to permanently allow several remote IP's to connect to the server via tcp/udp ports ports in your script so that they will never be dropped? Thanks.spam --> /dev/null
-
11-17-2002, 07:48 PM #14Web Hosting Guru
- Join Date
- Jan 2002
- Posts
- 269
I just tried running the script but I got the following errors :
root@host [/kiss]# ./kiss.sh
iptables v1.2.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
./kiss.sh: /proc/sys/net/ipv4/tcp_syncookies: No such file or directory
I couldn't find tcp_syncookies on my Linux RH 7.3 server.
And what to do about the nat error?
-
11-17-2002, 08:51 PM #15Web Hosting Master
- Join Date
- Sep 2002
- Posts
- 918
insmod iptables.o should fix the problem
-
11-17-2002, 09:10 PM #16Web Hosting Guru
- Join Date
- Jan 2002
- Posts
- 269
Originally posted by JonL
insmod iptables.o should fix the problem
insmod: iptables.o: No such file or directory
Also what is the purpose of tcp_syncookies ?
The firewall seems to work fine anyway though
-
11-18-2002, 08:54 AM #17Web Hosting Guru
- Join Date
- Jan 2002
- Posts
- 269
I've tried it on a CPanel server (added the additional CPanel ports in the script)
But when I log on to WHM and try to update WHM themes for example it fails because of an an rsync IO error.
Updating Xskin.... rsync: failed to connect to rsync.cpanel.net: Connection timed out rsync error: error in socket IO (code 10) at clientserver.c(89) DoneLast edited by barleduc; 11-21-2002 at 07:58 AM.