Difference between revisions of "Firewall INPUT filters"
Line 13: | Line 13: | ||
− | =SSH= | + | |
+ | =Security services= | ||
+ | |||
+ | |||
+ | ==SSH== | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
Line 21: | Line 25: | ||
+ | ==LDAP== | ||
− | =Web server= | + | <syntaxhighlight lang="bash"> |
+ | $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 389 -j ACCEPT # LDAP | ||
+ | $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 636 -j ACCEPT # LDAPS | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | |||
+ | =Web services= | ||
+ | |||
+ | |||
+ | ==HTTP web server== | ||
You have to open the following ports: | You have to open the following ports: | ||
Line 29: | Line 44: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
− | $IPTABLES -A INPUT -p tcp -m state | + | $IPTABLES -A INPUT -p tcp -m state --dport 80 -j ACCEPT |
− | $IPTABLES -A INPUT -p tcp -m state | + | $IPTABLES -A INPUT -p tcp -m state --dport 443 -j ACCEPT |
</syntaxhighlight> | </syntaxhighlight> | ||
− | = | + | ==Application servers (HTTP alt.)== |
− | |||
You have to open the following ports: | You have to open the following ports: | ||
Line 43: | Line 57: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
− | $IPTABLES -A INPUT -p tcp -m state | + | $IPTABLES -A INPUT -p tcp -m state --dport 8080 -j ACCEPT |
− | $IPTABLES -A INPUT -p tcp -m state | + | $IPTABLES -A INPUT -p tcp -m state --dport 8443 -j ACCEPT |
− | $IPTABLES -A OUTPUT -p tcp -m state | + | $IPTABLES -A OUTPUT -p tcp -m state --dport 8080 -j ACCEPT |
− | $IPTABLES -A OUTPUT -p tcp -m state | + | $IPTABLES -A OUTPUT -p tcp -m state --dport 8443 -j ACCEPT |
</syntaxhighlight> | </syntaxhighlight> | ||
− | + | Sometimes you can also use: | |
− | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
− | |||
− | |||
− | |||
# JBoss wildfly | # JBoss wildfly | ||
$IPTABLES -A INPUT -p tcp --dport 9990 -j ACCEPT # Wildfly administration | $IPTABLES -A INPUT -p tcp --dport 9990 -j ACCEPT # Wildfly administration | ||
Line 67: | Line 77: | ||
##### Output | ##### Output | ||
− | |||
− | |||
# JBoss wildfly | # JBoss wildfly | ||
$IPTABLES -A OUTPUT -p tcp --dport 9990 -j ACCEPT # Wildfly administration | $IPTABLES -A OUTPUT -p tcp --dport 9990 -j ACCEPT # Wildfly administration | ||
Line 76: | Line 84: | ||
$IPTABLES -A OUTPUT -p tcp --dport 7676 -j ACCEPT # Open MQ (bundled with Glassfish) - JMS broker | $IPTABLES -A OUTPUT -p tcp --dport 7676 -j ACCEPT # Open MQ (bundled with Glassfish) - JMS broker | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | |||
+ | ==Sonar== | ||
+ | |||
+ | You have to open the port 9000 | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | $IPTABLES -A INPUT -p tcp -m state -i eth0 --dport 9000 -j ACCEPT | ||
+ | |||
+ | $IPTABLES -A OUTPUT -p tcp -m state -i eth0 --dport 9000 -j ACCEPT | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | best way is to use a proxy redirection. see: [[Sonar#Apache2 proxy]] | ||
+ | |||
+ | |||
=DHCP= | =DHCP= | ||
Line 127: | Line 151: | ||
Don't forget to adjust your network number ''172.16.50.0/24'' | Don't forget to adjust your network number ''172.16.50.0/24'' | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Line 140: | Line 157: | ||
It's really tricky to adjust the firewall for NFS as the port is dynamic. But option is to allow LAN traffic and use NFS over LAN only. | It's really tricky to adjust the firewall for NFS as the port is dynamic. But option is to allow LAN traffic and use NFS over LAN only. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− |
Revision as of 12:15, 27 October 2014
Contents
INPUT view
Basic inputs
You can find the basics INPUT rules over here: Firewall core (main) protocols
Security services
SSH
# SSH - max 3 connection request per minute
$IPTABLES -A INPUT -p tcp -m limit 3/min --limit-burst 3 --dport 22 -j ACCEPT
LDAP
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 389 -j ACCEPT # LDAP
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 636 -j ACCEPT # LDAPS
Web services
HTTP web server
You have to open the following ports:
- Port 80 = HTTP
- Port 443 = HTTPS
$IPTABLES -A INPUT -p tcp -m state --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --dport 443 -j ACCEPT
Application servers (HTTP alt.)
You have to open the following ports:
- Port 8080 = HTTP alt.
- Port 8443 = HTTPS alt.
$IPTABLES -A INPUT -p tcp -m state --dport 8080 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --dport 8443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m state --dport 8080 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m state --dport 8443 -j ACCEPT
Sometimes you can also use:
# JBoss wildfly
$IPTABLES -A INPUT -p tcp --dport 9990 -j ACCEPT # Wildfly administration
# Glassfish
$IPTABLES -A INPUT -p tcp --dport 4848 -j ACCEPT # Glassfish4 administration manager
$IPTABLES -A INPUT -p tcp --dport 1527 -j ACCEPT # Glassfish4 security manager
$IPTABLES -A INPUT -p tcp --dport 7676 -j ACCEPT # Open MQ (bundled with Glassfish) - JMS broker
##### Output
# JBoss wildfly
$IPTABLES -A OUTPUT -p tcp --dport 9990 -j ACCEPT # Wildfly administration
# Glassfish
$IPTABLES -A OUTPUT -p tcp --dport 4848 -j ACCEPT # Glassfish4 administration manager
$IPTABLES -A OUTPUT -p tcp --dport 1527 -j ACCEPT # Glassfish4 security manager
$IPTABLES -A OUTPUT -p tcp --dport 7676 -j ACCEPT # Open MQ (bundled with Glassfish) - JMS broker
Sonar
You have to open the port 9000
$IPTABLES -A INPUT -p tcp -m state -i eth0 --dport 9000 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m state -i eth0 --dport 9000 -j ACCEPT
best way is to use a proxy redirection. see: Sonar#Apache2 proxy
DHCP
This is how you enable a DHCP server with TFTP (netBoot) :
IPTABLES=`which iptables`
LAN_ADDRESS="172.16.50.0/24"
# Allow LAN communication
# ... Required for NFS and the NetBoot ...
$IPTABLES -A INPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
########################
# INPUT filters
########################
##### DHCP client ######
# Broadcast IP request
$IPTABLES -A OUTPUT -p udp -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT
# Send / reply to IPs requests
$IPTABLES -A INPUT -p udp -s 255.255.255.255 --sport 67 --dport 68 -j ACCEPT
###### DHCP server ######
# Received client's requests [udp + tcp]
$IPTABLES -A INPUT -p udp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 68 --dport 67 -j ACCEPT
# NetBoot - TFTP server
$IPTABLES -A INPUT -p udp -s $LAN_ADDRESS --dport 69 -j ACCEPT
########################
# OUTPUT filters
########################
# DHCP [udp + tcp]
$IPTABLES -A OUTPUT -p udp --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 68 -j ACCEPT
# TFTP NetBoot
$IPTABLES -A OUTPUT -p udp --dport 69 -j ACCEPT
Note the difference between the broadcast request that every computer should allow and the plain OUTPUT allow on ports 67,68 for the DHCP server !!
Don't forget to adjust your network number 172.16.50.0/24
NFS
It's really tricky to adjust the firewall for NFS as the port is dynamic. But option is to allow LAN traffic and use NFS over LAN only.