Configuring iptables Firewall on Linux Server
Configuring Firewall on Linux Server
By default you get redhat default firewall rules on Linux machine. In order to secure your Linux server you have to block all unnecessary ports and also you need to allow access to specific service on specific IP.
For example you have several IP's on server and several services running on the same server.You want some services to accept connections on particular IP's only. You can achieve this with the iptables firewall.
Following are few examples for the same.
Here, 192.168.1.1 is your server main IP. 192.168.1.2 is the additional IP on the same server.
# To allow SSH to accept connection on 192.168.1.1 IP only.
iptables -A INPUT -p tcp -d 192.168.1.1 --dport 22 -j ACCEPT
# To allow SSH to accept connection on 192.168.1.1 IP from 192.168.1.254 IP (your remote machine IP) only.
iptables -A INPUT -p tcp -d 192.168.1.1 -s 192.168.1.154 --dport 22 -j ACCEPT
# To allow / accept tcp connection to all other services (except ssh) on 192.168.1.2
iptables -A INPUT -p tcp -d 192.168.1.2 -m multiport --dport 20,21,25,53,80,443,110,143,465,953,993,995,8080 -j ACCEPT
# To accept udp connections for named and rndc services on 192.168.1.2
iptables -A INPUT -p udp -d 192.168.1.2 -m multiport --dport 53,953 -j ACCEPT
# To accept ping request on server (both ip's)
iptables -A INPUT -p icmp -j ACCEPT
# To drop the all other connections except above services on above ports specified.
iptables -A INPUT -j DROP
You can make combination of majaor protocol suite (TCP , UDP , ICMP) source IP , destination IP , source port and destination port and can optimize your server firewall to any extent you want.
The Source port may vary for every connection (request) to the same service so i have not used in above examples.
Further always change the SSH Port from /etc/ssh/sshd_config file open the same in firewall for your personal use.
Following is the most essential ports need to be open.
20 ftp-data
21 ftp
22 ssh
25 smtp
53 domain
80 http
110 pop3
143 imap
443 https
465 smtps
953 rndc
993 imaps
995 pop3s
3306 mysql
2082 cpanel
2083 secure cpanel
2086 whm
2087 secure whm
2077 webdisk
2078 secure webdisk
2095 webmail
2096 secure webmalil
8880 plesk panel
8443 secure plesk panel
Steps to configure firewall.
Save your old firewall configuration "/etc/sysconfig/iptables-config" to some other file and flush the firewall.
mv /etc/sysconfig/iptables-config /etc/sysconfig/iptables-config_old
iptables -F
service iptables save
iptables -A INPUT -p tcp -d 192.168.1.1 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -d 192.168.1.1 -s 192.168.1.154 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -d 192.168.1.2 -m multiport --dport 20,21,25,53,80,443,110,143,465,953,993,995 -j ACCEPT
iptables -A INPUT -p udp -d 192.168.1.2 -m multiport --dport 53,953 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j DROP
service iptables save
NOTE: please make sure you allow all the ports (specifically ssh port) before adding the last DROP or REJECT rule rule.
0 Comment:
Post a Comment