On Mon, 15 Mar 2010 23:30:59 +0000
Graham Bleach <graham@???> wrote:
> On 15 March 2010 13:56, john lewis <zen57162@???> wrote:
> > I did do 'iptables -L' to try to see if there was anything in the
> > firewall rules blocking me and got
> >
> > Chain INPUT (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> >
> > which means nothing to me ;-(
>
> It means you don't have any firewall rules, which is ill-advised on a
> Internet-facing server.
OK
> There are heaps of guides to creating a firewall policy, my favourite
> method at the moment is to use "ufw". It's in Debian as of squeeze.
but not in lenny, so I looked for an online guide and found
http://www.mista.nu/iptables/ amongst others, some seemed very
complicated but I can almost understand what 'mista' generated:
#!/bin/sh
IPT="/sbin/iptables"
# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain
# Set default policies for all three default chains
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
Comment:
This appears to remove any existing rules, setup defaults which
match what I currently have, then create some new rules.
# Enable free use of loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP
Comment:
I don't know what the 'TCP sessions' line means but it may well be a
good thing as is the loopback devices section.
# Accept inbound TCP packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -s 0.0.0.0/0 -ACCEPT
$IPT -A INPUT -p tcp --dport 110 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
Comment:
I presume I can change --dport 22 to my chosen port as set
in /etc/ssh/sshd_config and change 0.0.0.0/0 to the IP address of this
system to further restrict ssh access.
I guess I need to open up http access to everyone to avoid blocking
access to the webpages I have available.
I am not sure if I need the pop3 line. but I do use an @startx.co.uk
email address on the server.
# Accept outbound packets
$IPT -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
Comment:
I guess I need to allow outgoing packets
Do these rules look OK and are they sufficient?
> Make sure you can access your VPS console before you start
> experimenting :)
Yup!
--
John Lewis
Debian & the GeneWeb genealogical data server
