Standard rules for iptables on a web server

H

Hint2013-04-15 16:42:47

System administration

Hint, 2013-04-15 16:42:47

Please write the optimal iptables rules for the web server in your opinion.
You need to deny by default all incoming connections, allow all outgoing connections, open some ports (ssh, http) plus allow any connections with a specific IP (mine).

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

Denis, 2013-04-15
@Hint

I use these rules:

# Generated by iptables-save v1.4.8 on Mon Apr 15 18:10:08 2013
*filter

:INPUT DROP [300714:91562726]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [7340517:3206938910]

-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP 

-A INPUT -i lo -j ACCEPT 

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 

-A INPUT -s 10.10.13.0/24 -j ACCEPT 

-A INPUT -s 10.20.32.46/32 -p tcp -m tcp --dport 22 -j ACCEPT 

-A INPUT -s 10.201.52.201/32 -p tcp -m tcp --dport 22 -j ACCEPT 

-A INPUT -s 10.10.10.6/32 -p tcp -m tcp --dport 3306 -j ACCEPT 

COMMIT

# Completed on Mon Apr 15 18:10:08 2013

All traffic on port 80 is allowed here, all traffic from the "trusted" subnet 10.10.13.0/24 traffic on port 22 from some hosts and access to mysql from 10.10.10.6.
The actual "standard" rules for a web server are:

*filter
:INPUT DROP [300714:91562726]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7340517:3206938910]
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP 
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -s ВАШАСЕТЬ -p tcp -m tcp --dport 22 -j ACCEPT 
COMMIT
# Completed on Mon Apr 15 18:10:08 2013

The rest is wound up depending on your paranoia.

S

Sergey, 2013-04-15
@bondbig

This is impolite, of course, but:
lmgtfy.com/?q=iptables+rules+web+server