Its important to know when the rules are actually put in place during the boot
process. This can be controlled via its index in /etc/rc.*. A more interface
specific location would
/etc/network/{if-down.d,if-post-down.d,if-pre-up.d,if-up.d}. Also note that the
openvpn devices can be referenced as tun+ rather than the absolute device name.
--
Cory Oldford
PeaceWorks Computer Consulting
#1 - 396 Assiniboine Ave, Winnipeg
204 480 0314 --or-- 519 725 7875, ext 6010.
----- Original Message -----
From: "Arturo Borrero Gonzalez" <[email protected]>
To: [email protected]
Cc: [email protected]
Sent: Wednesday, February 15, 2012 12:25:12 PM GMT -06:00 US/Canada Central
Subject: Re: Iptables example for mail/web/opevpn server
2012/2/15 Raven <[email protected]>:
> Hi guys.
> I need some help in designing a simple iptables ruleset for a small
> server I have recently set up.
>
> It's a VPS so the primary interface is venet0 with a public ip. The
> server also runs an openvpn daemon with a 172.16.0.0/24 subnet.
>
> There is obviously no need for NAT or packet forwarding. All outbound
> traffic should be allowed while inbound data is to be accepted only on
> ports 80, 443, 25, 587 and 1194 (tcp,udp).
>
> Could you give me a rough idea of what a firewall script should look
> like?
>
> Thanks
>
> -RV
>
>
> --
> To UNSUBSCRIBE, email to [email protected]
> with a subject of "unsubscribe". Trouble? Contact [email protected]
> Archive: http://lists.debian.org/[email protected]
>
Hi there,
Depending on what kind of complexity you want, you could use a few
iptables lines added at some place like /etc/rc... or somewhere..
like: (this one is valid)
## flush old rules
iptables -F
# rules
iptables -t filter -A INPUT -i venet0 -d your_public_ip \
-p tcp --sport 1024: -m multiport --dports 80,443,25,587 \
-m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -i venet0 -d your_ip \
-p udp --sport 1024: --dport 1194 \
-m state --state NEW,ESTABLISHED -j ACCEPT
# default policy
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
##
Or use the same schema, but using a rule for each connection, like:
iptables -t filter -A INPUT -i venet0 -d ip \
-p tcp --sport 1024: --dport 80 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -t filter -A INPUT -i venet0 -d ip \
-p tcp --sport 1024: --dport 443 -m state --state NEW,ESTABLISHED
-j ACCEPT
etc.. (using that you will see some usage statistics)
Or you could use a more complex schema, using in detail the 'state'
module or even managing per-package-per-protocol flags
I think if you give me more details about the environment of the
server, I could help you being more explicit.
For example:
· Ipv6 use, or support?
· Complex firewall as a service management?
· How many clients are going to use the server?
· What about the scalability factor? Do you plan to expand the server
in a future?
· Is the server in your house or it's a testing server, so
availability and security could be forgiven in favor of a quick
setting?
regards.
--
/* Arturo Borrero Gonzalez || [email protected] */
/* Use debian gnu/linux! Best OS ever! */
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive:
http://lists.debian.org/CAPfcJasFyE-rsfOgbfYCtSfC-K=wszvorsp-a1a_16cgndu...@mail.gmail.com
