Difference between revisions of "Firewall INPUT filters"

(DHCP)
(DHCP)
Line 81: Line 81:
  
 
Note the difference between the broadcast request that every computer should allow and the plain OUTPUT allow on ports 67,68 for the DHCP server !!
 
Note the difference between the broadcast request that every computer should allow and the plain OUTPUT allow on ports 67,68 for the DHCP server !!
 +
 +
 +
Don't forget to adjust your network number ''172.16.50.0/24''
  
 
=LDAP=
 
=LDAP=

Revision as of 20:47, 8 August 2014


INPUT view

Input filters


Basic inputs

You can find the basics INPUT rules over here: Firewall core (main) protocols

SSH

# SSH - max 3 connection request per minute
$IPTABLES -A INPUT -p tcp -m limit 3/min --limit-burst 3 --dport 22 -j ACCEPT


Web server

You have to open the following ports:

  • Port 80 = HTTP
  • Port 443 = HTTPS
$IPTABLES -A INPUT -p tcp -m state -i eth0 --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state -i eth0 --dport 443 -j ACCEPT


DHCP

This is how you enable a DHCP server with TFTP (netBoot) :

IPTABLES=`which iptables`
LAN_ADDRESS="172.16.50.0/24"

# Allow LAN communication
# ... Required for NFS and the NetBoot ...
$IPTABLES -A INPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
 
########################
# INPUT filters
########################
 
##### DHCP client ######
# Broadcast IP request 
$IPTABLES -A OUTPUT -p udp -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT
# Send / reply to IPs requests
$IPTABLES -A INPUT -p udp -s 255.255.255.255 --sport 67 --dport 68 -j ACCEPT
 
###### DHCP server ######
# Received client's requests [udp + tcp]
$IPTABLES -A INPUT -p udp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 68 --dport 67 -j ACCEPT

# NetBoot - TFTP server
$IPTABLES -A INPUT -p udp -s $LAN_ADDRESS --dport 69 -j ACCEPT
 
 
########################
# OUTPUT filters
########################
# DHCP [udp + tcp]
$IPTABLES -A OUTPUT -p udp --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 68 -j ACCEPT
 
# TFTP NetBoot 
$IPTABLES -A OUTPUT -p udp --dport 69 -j ACCEPT


Note the difference between the broadcast request that every computer should allow and the plain OUTPUT allow on ports 67,68 for the DHCP server !!


Don't forget to adjust your network number 172.16.50.0/24

LDAP

$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 389 -j ACCEPT # LDAP
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 636 -j ACCEPT # LDAPS


NFS

It's really tricky to adjust the firewall for NFS as the port is dynamic. But option is to allow LAN traffic and use NFS over LAN only.