• Rob's side project: I recently started Gun-Forums.com and we currently have a $100 raffle - if you're into guns, join up and enter the raffle to win $100.00. Gun Forums

Are these iptables rules correct?

AntiRix

New Member
Hi,

I want to tighten security and only allow necessary traffic. I don't have physical access to the machine at the moment, so I want to make sure that these rules are correct before I apply them.

Here are the conditions:

• Anyone must be able to access the website hosted by the machine which is served over both http and https
• Only 194.50.56.167 and 194.50.55.200 can SSH into the machine
• Code on the machine must be able to access the MySQL database on the same machine
• The machine must be able to send email with php mail()
• The machine must respond to pings from anywhere and must be able to ping any other IP address

These are the rules which I believe I need. Please let me know if I need to add, edit or remove any rules:

Code:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s 194.50.55.200 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 194.50.56.167 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
 
Last edited:


wizardfromoz

Super Moderator
Staff member
Gold Supporter
G'day @AntiRix :)

I am moving this to Security, where iptables are dealt with.

Wizard
 


Members online


Latest posts

Top