Wednesday, May 22, 2013

How to protect your web site by iptables on CentOS RHEL OEL


# Fist Cleaning all rules
iptables -F
iptables -X

# By default I drop all traffic
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Only allow ssh and web
iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --sport 80 -j ACCEPT

# Allow lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Save the config for reboot and restart the service see how it works.
service iptables save
service iptables restart


More safe if you have a static IP:


-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s [My Static IP]/32 -d [Server IP]/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s [Server IP]/32 -d [My Static IP]/32 -p tcp -m tcp --sport 22 -j ACCEPT


More safe if you Only talk to another server:


-A INPUT -s [Another Server]/32 -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -d [Another Server]/32 -p tcp -m tcp --dport 80 -j ACCEPT


If you want allow ssh from other subnet:


-A INPUT -s 192.168.244.0/24 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -d 192.168.244.0/24 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT


Enable DNS:

iptables -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT


Enable yum:

iptables -A OUTPUT -m tcp -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT

7 comments:

  1. I discovered your blog site on google and test a number of of your early posts. Continue to maintain up the superb operate. I simply additional up your RSS feed to my MSN News Reader. Searching for ahead to studying more from you later on!…

    ReplyDelete
  2. It impressed, I must say. Actually hardly ever do I encounter a weblog that? each educative and entertaining, and let me tell you, you've gotten hit the nail on the head. Your concept is excellent; the issue is something that not enough persons are speaking intelligently about. I am very completely satisfied that I stumbled throughout this in my search for something referring to this.

    ReplyDelete
  3. Aw, this was a very nice post.

    ReplyDelete
  4. I couldn't refrain from commenting. Exceptionally well written!

    ReplyDelete
  5. you are in point of fact a good webmaster. The
    website loading speed is amazing. It kind of feels that you are doing any unique trick.
    Furthermore, The contents are masterwork. you have performed a fantastic activity in this matter!

    ReplyDelete
  6. Excellent post but I was wanting to know if you could write a
    litte more on this topic? I'd be very thankful if you could elaborate a little bit further. Kudos!

    ReplyDelete
  7. You need to be a part of a contest for one off the finest
    websites online. I am going to highly recommend this website!

    ReplyDelete