Find the answer to your Linux question:
Results 1 to 3 of 3
All: Anyone know of a good tutorial for setting up good IP tables for a web server?...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2009
    Posts
    1

    IPTables for Web Server


    All:

    Anyone know of a good tutorial for setting up good IP tables for a web server?

  2. #2
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    some good links here
    iptables apache - Google Search

  3. #3
    Linux Newbie
    Join Date
    Apr 2008
    Location
    India
    Posts
    170
    If you have control panel panel based serve like cpanel or plesk
    use come firewalls

    Else few rules I use
    -A DOS -m limit --limit 12/sec --limit-burst 24 -j RETURN
    -A DOS -m limit --limit 12/sec --limit-burst 24 -j LOG --log-prefix "***Possible DOS Attack: "
    -A DOS -j DROP
    -A INPUT -s 125.241.83.133 -j DROP
    -A INPUT -j SYN
    -A INPUT -j SYN
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j badflags
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j badflags
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j badflags
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j badflags
    -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j badflags
    -A INPUT -s 65.182.188.210 -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -j SSHD
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j badflags
    -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A INPUT -p icmp -j LOG --log-prefix "****Dropped ICMP: "
    -A INPUT -p icmp -j DROP
    -A INPUT -f -j LOG --log-prefix "****Fragments Dropped: "
    -A INPUT -f -j DROP
    -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 20 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -p udp -m udp --dport 53 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
    -A INPUT -p udp -m udp --sport 53 -j ACCEPT
    -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -p udp -m udp --dport 123 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 465 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 783 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -p udp -m udp --dport 783 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 6666 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 7786 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -p udp -m udp --dport 33434:33524 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 49000:65535 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -p udp -m udp --dport 49000:65535 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p udp -m udp --sport 136 --dport 137 -j silent
    -A INPUT -p udp -m udp --sport 138 --dport 138 -j silent
    -A INPUT -p udp -m udp --sport 137 --dport 137 -j silent
    -A INPUT -s 127.0.0.0/255.0.0.0 -j LOG --log-prefix "****Non-routable: "
    -A INPUT -s 127.0.0.0/255.0.0.0 -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -s 172.16.0.0/255.240.0.0 -j LOG --log-prefix "****Non-routable: "
    -A INPUT -s 172.16.0.0/255.240.0.0 -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -s 192.168.0.0/255.255.0.0 -j LOG --log-prefix "****Non-routable:"
    -A INPUT -s 192.168.0.0/255.255.0.0 -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "****Non-routable: "
    -A INPUT -s 224.0.0.0/240.0.0.0 -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -s 240.0.0.0/248.0.0.0 -j LOG --log-prefix "****Non-routable:"
    -A INPUT -s 240.0.0.0/248.0.0.0 -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "IDENT: "
    -A INPUT -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -p udp -m udp --dport 113 -j LOG --log-prefix "IDENT: "
    -A INPUT -p udp -m udp --dport 113 -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "****Dropped TCP: "
    -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
    -A INPUT -p udp -j LOG --log-prefix "****Dropped UDP: "
    -A INPUT -p udp -j DROP
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 20 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
    -A OUTPUT -p udp -m udp --sport 53 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 123 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 783 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 49000:65535 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 49000:65535 -j ACCEPT
    -A badflags -m limit --limit 12/min -j LOG --log-prefix "****Badflags: "
    -A badflags -j DROP
    -A silent -j DROP

    open the /etc/sysconfig/iptabes...save it
    Regards
    David Anand
    -->Success is the list of failures ...!!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •