Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
Seeker2013-03-13 21:44:51
linux
Seeker, 2013-03-13 21:44:51

How to protect a linux server with a firewall?

Hello! Please tell me how the firewall should be properly configured in order to protect a server connected to the Internet around the clock. Here is the script that loads the firewall on my server:

#!/bin/sh
## Очистка таблиц
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

## Отфильтровывание пакетов с локальным адресом
iptables -t filter -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -t filter -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables –t filter –A INPUT –i eth0 –s 10.0.0.0/8 –j DROP

## Отфильтровывание пакетов на широковещательный адрес
iptables –t filter –A INPUT –i eth0 –d 255.255.255.255 –j DROP

## Разрешить lo и внутреннюю сеть
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A INPUT -i eth1 -j ACCEPT

## Разрешить icmp
iptables –t filter -A INPUT -i eth0 -p icmp -j ACCEPT

## Закрытие портов входящих соединений, кроме ssh
iptables –t filter -A INPUT -i eth0 -p udp -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables –t filter -A INPUT -i eth0 -p tcp -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables –t filter -A INPUT -i eth0 -p tcp –dport 22 -j ACCEPT

## Всё остальное запретить
iptables -t filter -A INPUT -j DROP


Is closing ports and filtering out broadcast and local packets not enough? I heard that you also need to filter fragmented icmp packets and something else. Tell me what is missing.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
S
Sergey, 2013-03-13
@bondbig

The question is somehow incorrectly asked. What tasks does the server perform? What are the risks?
You can do without a firewall at all in some cases, for that matter, it’s enough just not to “shine” extra ports outward by correctly setting the listen directive in the services / services configs.

Report
M
miwa, 2013-03-14
@miwa

The question is not entirely correct, as already said. What in general should the server do, in addition to looking at the Internet around the clock? Does anyone have to go to it? Who, where, where (in the sense, what server services to use)? On the other hand, allowing any traffic from within the network in our difficult times is also quite frivolous. If you are already afraid of an attack from the outside, where is the guarantee that the local machine will not be attacked first, and then your server through it?
And a lot depends on the distribution. Every popular distro has recommendations to increase its own security - google for "distro hardening|securing"

Report
K
kyzia, 2013-04-10
@kyzia

Don't use a script!
Use iptables-save, iptables-restore.
In the case of using the script, you will lose the network for a couple of minutes when adding a new rule.

Similar questions
V
Vitaliy Kybych2019-11-17 23:37:33
How to set up wifi adapter in VirtualBox? 4Reply
D
Denis Balandin2019-12-04 10:18:49
How do I replace the "Add to Cart" button for a specific brand? 2Reply
N
Narkoz_nektov2016-10-03 12:16:32
How to install GCC compiler on Linux Debian from sources? 3Reply
D
dimonchu2020-11-26 00:16:32
Nginx proxypass cache and php, how to set it up correctly? 4Reply
V
Vlad Stelin2019-03-03 17:34:38
How to update glibc? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question