Hello

Continuing to secure my box, I'd like to know if you could provide a generic iptables configuration script for RH9 with nodeworx/siteworx

I'll add other services (out of nodeworx services) in this one (for example ircd)

Thanks :)

Squalito

so ???? Paul ? Chris ?

well, this thread has really no success :-p

In fact all my threads about box security as no success.

snif snif

Maybe better lucky a next time

@+++
Pascal

squalito,

I apologize, we've just been busy with this release. Any basic iptables script will do that blocks all ports, and then selectively adds ports that are needed. For InterWorx-CP itself you'll need 2443 open and if you want web/email/ssh/ftp open those ports can all be found in /etc/services.

We will at some point provide a standard baseline iptables script but have so far left it up to the server owner.

Chris

No pbm for the delay.
What I propose you is to provide a script here before installing it and wait for your comments :)

Just in case of :-p

Pascal

Sagonet has a general IPtables script posted on their forum.

http://www.sagonet.com/forums/viewtopic.php?t=18&highlight=iptables

Thank you lost :)

Ok here is the script I made helping me from the sago script


#!/bin/bash
set -e

# Caution! Once this firewall is active,
# changes will almost certainly require a reboot,
# or at least console (the network will be unavailable).

# Load IRC & FTP modules for use behind a NAT. Usually not necessary.
modprobe ip_conntrack_ftp

# Flush rules
iptables -F
iptables -X
iptables -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z

# rp_filter
for f in /proc/sys/net/ipv4/conf/*; do
echo 1 > $f/rp_filter
echo 0 > $f/accept_source_route
echo 0 > $f/accept_redirects
done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/tcp_ecn
echo 0 > /proc/sys/net/ipv4/ip_forward

# Set chain defaults
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

## Okay, the rules

# Rejects go here
iptables -N rej
iptables -A rej -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A rej -p tcp -j REJECT --reject-with tcp-reset
iptables -A rej -j DROP

# Slow reject is our packet limiter.
iptables -N slowrej
iptables -A slowrej -m limit --limit 12/min --limit-burst 2 -j rej
iptables -A slowrej -j DROP

## UDP rules
iptables -N pudp
iptables -A pudp -p udp --dport 53 -j ACCEPT # DNS (udp)
iptables -A pudp -p udp --dport 161 -j ACCEPT # SNMP (udp)

iptables -A pudp -p udp --dport bootps:bootpc -j DROP
iptables -A pudp -j slowrej

## TCP rules

# Enable services on an as-needed basis.
# Template below includes most popular services.
# Default rule (below) is to allow SSH and SNMP.
# Everything else is your responsiblity.


iptables -N ptcp

iptables -A ptcp -p tcp --dport 161 -m state --state NEW -j ACCEPT #SNMP
iptables -A ptcp -p tcp --dport 80 -m state --state NEW -j ACCEPT # HTTP
iptables -A ptcp -p tcp --dport 443 -m state --state NEW -j ACCEPT # HTTPS
#iptables -A ptcp -p tcp --dport 8443 -m state --state NEW -j ACCEPT # ALT_HTTPS
iptables -A ptcp -p tcp --dport 21 -m state --state NEW -j ACCEPT # FTP
iptables -A ptcp -p tcp --dport 22 -m state --state NEW -j ACCEPT # SSH
iptables -A ptcp -p tcp --dport 2443 -m state --state NEW -j ACCEPT # Nodeworx
iptables -A ptcp -p tcp --dport 2080 -m state --state NEW -j ACCEPT # Nodeworx
iptables -A ptcp -p tcp --dport 25 -m state --state NEW -j ACCEPT # SMTP
iptables -A ptcp -p tcp --dport 110 -m state --state NEW -j ACCEPT # POP3
iptables -A ptcp -p tcp --dport 995 -m state --state NEW -j ACCEPT #POP3S
iptables -A ptcp -p tcp --dport 143 -m state --state NEW -j ACCEPT #IMAP2
iptables -A ptcp -p tcp --dport 993 -m state --state NEW -j ACCEPT #IMAPS
iptables -A ptcp -p tcp --dport 3306 -m state --state NEW -j ACCEPT #MySQL
iptables -A ptcp -p tcp --dport 53 -m state --state NEW -j ACCEPT # DNS (tcp)
iptables -A ptcp -p tcp --dport 10000 -m state --state NEW -j ACCEPT # webmin (tcp)
iptables -A ptcp -p tcp --dport 3333 -m state --state NEW -j ACCEPT # ntop (tcp)
iptables -A ptcp -p tcp --dport 6667 -m state --state NEW -j ACCEPT # IRCD
iptables -A ptcp -p tcp --dport 6668 -m state --state NEW -j ACCEPT # IRCD
iptables -A ptcp -p tcp --dport 7000 -m state --state NEW -j ACCEPT # HUB IRCD

iptables -A ptcp -j slowrej

## ICMP rules
iptables -N picmp
iptables -A picmp -p icmp -m limit --limit 2/sec --limit-burst 2 --icmp-type echo-request -j ACCEPT
iptables -A picmp -j DROP

# INPUT chain: Anything over loopback, and anything found in the state matching
# system is accepted.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# If you have constant abusers, block them permanently by CIDR thus:
# iptables -A INPUT -s 192.168.1.0/24 -j rej
#
# For particularly abusive servers or brain-dead software that keeps trying
# even with rej, try this instead:
#iptables -A INPUT -s 192.168.1.0/24 -j DROP
iptables -A INPUT -p udp -j pudp
iptables -A INPUT -p tcp -j ptcp
iptables -A INPUT -p icmp -j picmp


I'm not sure to have to open the 2080 port (nodeworx ???) and the 3306 (mysql) port.

Ok so stop me if I'm saying something bad :

I run the script then do iptables-save and copy the output in /etc/sysconfig/iptables

Right ?

Any comments on this script would be welcome

Do I absolutly have to reboot my box ?

Thanks
Pascal