Example webserver nfs keyserver iptable ruleset

From Research
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
#! /bin/sh
# /etc/iptables.bak

# Let's save typing & confusion with variables
IPTABLES=/sbin/iptables

# Flush active rules and custom tables
$IPTABLES --flush
$IPTABLES --delete-chain

# set the defaults so that by-default incoming packets are dropped, unless explicitly allowed;
# for a desktop workstation, we'll let lots of (unpredictable) outgoing packets go freely.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

# INBOUND POLICY
# ==============
# of course, accepting loopback is a good idea
$IPTABLES -A INPUT -i lo -j ACCEPT 

# we will permit ping, but rate-limit type 8 to prevent DoS-attack
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT

#   (Applies to packets entering our network interface from the network, 
#   and addressed to this host.)

$IPTABLES -A INPUT -m conntrack --ctstate INVALID -j DROP 
$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

# ftp incoming
#$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 20 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 21 -j ACCEPT

# ssh incoming, including non-standard port (if needed)
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT 
#$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 222 -j ACCEPT

# this machine is a mail-server, aggregating logs + hosting mailing-lists
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 25 -j ACCEPT

# web serving, let's allow it!  Both http and https ports
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 443 -j ACCEPT

# portmapper, in support of NFS-client
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 111 -j ACCEPT
$IPTABLES -A INPUT -p udp -m conntrack --ctstate NEW --dport 111 -j ACCEPT

# nagios (5666); monitor time (123), allow snmp (161)
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 5666 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --dport 123 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --dport 161 -j ACCEPT

# amanda tape-backups; we reach out and tape things from this machine
$IPTABLES -A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 10080 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 10082 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 10083 -j ACCEPT

# flexlm (lmgrd) license-server listens here (set in license.dat file)
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 7111 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 7112 -j ACCEPT

# Sassafrass keyserver listens here on both udp and tcp
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 19283 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --dport 19283 -j ACCEPT


# OUTBOUND POLICY
# ===============
# of course, accepting loopback is a good idea
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#   (Applies to packets sent to the network interface from local processes)

$IPTABLES -A OUTPUT -j ACCEPT

Invoke and make these rules effective: 

hostname ~ # sh /etc/iptables.bak

Resulting active rules: 

hostname ~ # iptables -L

REMEMBER! If you like the ruleset, and want it to be in-effect the next time you start iptables (ie after a reboot), then you must: 

hostname ~ # rc-update add iptables default
* iptables added to runlevel default

hostname ~ # /etc/init.d/iptables save
* Saving iptables state ...
Retrieved from "https://research.wiki.iat.sfu.ca/research/index.php?title=Example_webserver_nfs_keyserver_iptable_ruleset&oldid=5493"