Difference between revisions of "Firewall INPUT filters"
(→Basic inputs) |
|||
Line 17: | Line 17: | ||
# SSH - max 3 connection request per minute | # SSH - max 3 connection request per minute | ||
$IPTABLES -A INPUT -p tcp -m limit 3/min --limit-burst 3 --dport 22 -j ACCEPT | $IPTABLES -A INPUT -p tcp -m limit 3/min --limit-burst 3 --dport 22 -j ACCEPT | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | |||
+ | =Web server= | ||
+ | |||
+ | You have to open the following ports: | ||
+ | * Port 80 = HTTP | ||
+ | * Port 443 = HTTPS | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | $IPTABLES -A INPUT -p tcp -m state -i eth0 --dport 80 -j ACCEPT | ||
+ | $IPTABLES -A INPUT -p tcp -m state -i eth0 --dport 443 -j ACCEPT | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 18:48, 8 August 2014
Contents
INPUT view
Basic inputs
You can find the basics INPUT rules over here: Firewall core (main) protocols
SSH
# SSH - max 3 connection request per minute
$IPTABLES -A INPUT -p tcp -m limit 3/min --limit-burst 3 --dport 22 -j ACCEPT
Web server
You have to open the following ports:
- Port 80 = HTTP
- Port 443 = HTTPS
$IPTABLES -A INPUT -p tcp -m state -i eth0 --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state -i eth0 --dport 443 -j ACCEPT
DHCP
This is how you enable a DHCP server with TFTP (netBoot) :
IPTABLES=`which iptables`
# Allow LAN communication
# ... Required for NFS and the NetBoot ...
$IPTABLES -A INPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
########################
# INPUT filters
########################
##### DHCP client ######
# Broadcast IP request
$IPTABLES -A OUTPUT -p udp -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT
# Send / reply to IPs requests
$IPTABLES -A INPUT -p udp -s 255.255.255.255 --sport 67 --dport 68 -j ACCEPT
###### DHCP server ######
# Received client's requests [udp + tcp]
$IPTABLES -A INPUT -p udp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 68 --dport 67 -j ACCEPT
# NetBoot - TFTP server
$IPTABLES -A INPUT -p udp -s $LAN_ADDRESS --dport 69 -j ACCEPT
########################
# OUTPUT filters
########################
# DHCP [udp + tcp]
$IPTABLES -A OUTPUT -p udp --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 68 -j ACCEPT
# TFTP NetBoot
$IPTABLES -A OUTPUT -p udp --dport 69 -j ACCEPT
Note the difference between the broadcast request that every computer should allow and the plain OUTPUT allow on ports 67,68 for the DHCP server !!
LDAP
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 389 -j ACCEPT # LDAP
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 636 -j ACCEPT # LDAPS
NFS
It's really tricky to adjust the firewall for NFS as the port is dynamic. But option is to allow LAN traffic and use NFS over LAN only.