Results 1 to 17 of 17
  1. #1

    Question Basic iptables rules for your server

    Hi,

    I'm trying to setup iptables as a firewall for my web hosting server but not sure what to put in the rules.

    I'm asking if anybody would share the basic (web hosting) rules that you have for your server so I can follow to get started.

    Thanks for your help.

  2. #2
    Join Date
    May 2001
    Posts
    1,593
    Well, I don't have specific rules. But the general rules is: Deny everything, then open up the ports/IPs for only the service you need.

    Don't forget to grant yourself SSH access first, or else you would have locked yourself out of the server.

    Peter

  3. #3

    Re: Basic iptables rules for your server

    Originally posted by wizital
    Hi,

    I'm trying to setup iptables as a firewall for my web hosting server but not sure what to put in the rules.

    I'm asking if anybody would share the basic (web hosting) rules that you have for your server so I can follow to get started.

    Thanks for your help.
    I created an iptables script and placed it in the public domain. Check it out here:

    http://www.geocities.com/steve93138/

  4. #4

    * Use a pre-built tool for iptables

    Just a suggestion. Too many rules and hacks to build a IPTABLES firewall by yourself use the open-source community to you advantage.

    one I use allot is the gShield firewall. (Search on Google to find) It is really easy to setup and helps you back into the IPTABLES config.

    Lots of developers building firewall = very safe rules

    Hope this helps

  5. #5
    Thanks a lot guys.

    steve93138: I have whm/cpanel so I guess I need to open other ports.

    gngit: I'll play with gShield and see how it'd go.

    Thanks again.
    .

  6. #6

    Re: Re: Basic iptables rules for your server

    Originally posted by steve93138
    I created an iptables script and placed it in the public domain. Check it out here:

    http://www.geocities.com/steve93138/
    Let say I have 64.190.31.x and 64.190.32.x
    Under your subnet_broadcast, should/can I enter two entries?

    Thanks.

  7. #7
    Join Date
    Jun 2002
    Location
    Silver Spring, Maryland
    Posts
    256
    What are your subnet masks?

  8. #8
    It's 255.255.255.0

    Thanks.

  9. #9
    Originally posted by wizital
    It's 255.255.255.0
    Originally posted by wizital
    Let say I have 64.190.31.x and 64.190.32.x
    Under your subnet_broadcast, should/can I enter two entries?
    Is this a theoretical question?

    The reason I ask is because if your subnet mask is 255.255.255.0 then you can't have two IP's such as 64.190.31.x and 64.190.32.x on the same subnet. Therefore, if your subnet mask is 255.255.255.0 then your subnet broadcast address is most likely xxx.xxx.xxx.255.

    To answer your question though, the script is not setup for more than one entry in this variable because it's not needed.

  10. #10
    Join Date
    Dec 2001
    Location
    Darmstadt, Germany
    Posts
    1,096
    well i got the same here...
    my main ip is: xxx.xxx.251.xxx
    and all my others are xxx.xxx.236.xxx
    so one bcast is: xxx.xxx.251.255
    and the other is: xxx.xxx.236.255
    what do i have to change in the script, to get that running?
    (don't wanna try, and lock myself out )

    thanks!

    greets,
    In just two days, tomorrow will be yesterday.

  11. #11
    Howdy folks,

    Because of your input, I just updated "KISS My Firewall" to version 1.2. It includes support for multiple subnet base and broadcast addresses:

    http://www.geocities.com/steve93138/

  12. #12
    How do you allow ping on one/multiple IPs?

    Thanks a lot.
    You rock, steve93138!!!
    Last edited by wizital; 11-04-2002 at 06:59 PM.

  13. #13
    Join Date
    Jul 2001
    Posts
    145
    Great script steve .

    Is it possible to permanently allow several remote IP's to connect to the server via tcp/udp ports ports in your script so that they will never be dropped? Thanks.
    spam --> /dev/null

  14. #14
    Join Date
    Jan 2002
    Posts
    269
    I just tried running the script but I got the following errors :

    root@host [/kiss]# ./kiss.sh
    iptables v1.2.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    iptables v1.2.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    iptables v1.2.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    iptables v1.2.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    iptables v1.2.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    ./kiss.sh: /proc/sys/net/ipv4/tcp_syncookies: No such file or directory

    I couldn't find tcp_syncookies on my Linux RH 7.3 server.

    And what to do about the nat error?

  15. #15
    Join Date
    Sep 2002
    Posts
    918
    insmod iptables.o should fix the problem

  16. #16
    Join Date
    Jan 2002
    Posts
    269
    Originally posted by JonL
    insmod iptables.o should fix the problem
    I tried it, but I get :

    insmod: iptables.o: No such file or directory

    Also what is the purpose of tcp_syncookies ?

    The firewall seems to work fine anyway though

  17. #17
    Join Date
    Jan 2002
    Posts
    269
    I've tried it on a CPanel server (added the additional CPanel ports in the script)

    But when I log on to WHM and try to update WHM themes for example it fails because of an an rsync IO error.

    Updating Xskin.... rsync: failed to connect to rsync.cpanel.net: Connection timed out rsync error: error in socket IO (code 10) at clientserver.c(89) Done
    Last edited by barleduc; 11-21-2002 at 07:58 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •