iptablesrocks.org - an iptables guide & tutorial
The iptablesrocks.org iptables firewall setup guide

An overview:

The iptablesrocks.org iptables firewall is geared for a typical webserver running the following services:

SSH
HTTP and HTTPS
FTP
DNS
SMTP
POP3
IMAP and IMAPS
MySQL

Note: Please note that when I say "web server" I am referring to a "production" web server hosted in a typical "production" environment. I am not talking about a web server running on your home ADSL or Cable connection or a server contained within a local intranet. I am talking about a fully public web server with a publicly accessible IP address. In other words, I'm talking about a web server that is being hosted in a real data center somewhere. If you are trying this out on a home network, you may or may not get the desired results.

When running a typical production web server, you need a firewall that is secure and offers protection, but you also need one that allows all needed traffic to be able to enter and leave the server so that your server's day to day operations can carry on unimpeded. This particular iptables configuration does the following:

1. Uses the "mangle" portion of the table to effectively block and/or confuse most port scans. These rules deal with FIN,SYN,RST,PSH,ACK,URG FIN,PSH and URG packets.

2. Establishes a secure foundation by initially blocking all incoming, outgoing and forwarded packets COMPLETELY.

3. With all incoming packets dropped by default, it then grants incoming access to a select number of ports. These ports are ports that a typical web server might allow.

Open inbound ports include: 20 & 21 (ftp), 22 (ssh), 25 (smtp), 53 (dns), 80 (http), 110 (pop), 143 (imap), 443 (https), 993 (imaps)

4. With all outbound packets dropped by default, it then grants outbound access to a select number of ports. These ports are posts that a typical web server might allow.

Open outbound ports include: 20 & 21 (ftp), 22 (ssh), 25 (smtp), 43 (whois), 53 (dns), 80 (http), 110 (pop), 143 (imap), 443 (https), 993 (imaps)

5. All requests to prohibited ports are logged to a custom log file. Additional logging is also possible.

6. An installation of "Iptables Log Analyzer", which you provides a web based tool to monitor the firewall logs.

 

Start the installation here

 

 
 
contact iptablesrocks.org
modified
Site last modified: October 25, 2005 09:20:01
 
The Rocks Project