Page Title
Body IPTables is quick and easy to install, and it's a great way to lock down your server. Here's a quick start that will give you access to the server only for ssh, web, and email traffic. <pre><code> sudo su - # to become root yum install iptables # GROUND RULES: Allow established TCP traffic iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT # ALLOW: ssh, smtp, http, https, pings, local traffic iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -s 127.0.0.1 -j ACCEPT # REJECT: anything that wasn't explicitly allowed iptables -A INPUT -j REJECT iptables -A FORWARD -j REJECT # Save rules so they'll be used after reboots service iptables save </code></pre> That's should give you a nice and secure system, but there are times you need to make exceptions. For instance, what if you have separate web server and database servers? You don't want to allow everyone in, but you will need to allow the web server to connect to the mysql port, 3306, on your database server. You can do that with a rule like this: <pre><code> iptables -A INPUT -p tcp -s <source address> -d <destination address> --dport 3306 -j ACCEPT </code></pre> In our example, the source address would be the private address of your web server, and the destination address would be the private address of the db server. Use 'ifconfig eth1' on the servers to double-check your private address. You can easily tailor this command to only allow ssh or web traffic from certain IP addresses. Be sure to run *service iptables save* as root to save your rules after you make changes. If you mess up, you can flush all rules and start over with *<code>iptables --flush</code>*, or you can delete a rule by changing the *-A* to *-D*, e.g. <pre><code> iptables -A INPUT -s 120.23.210.33 -p tcp --dport 22 -j ACCEPT # Ooops. Typo in the source address. Delete it and try again: iptables -D INPUT -s 120.23.210.33 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s 120.23.210.32 -p tcp --dport 22 -j ACCEPT </code></pre> It is also worth noting that you may experience issues related to scp and rsync with large files being copied from the server running iptables. If you find that your process is reporting "stalled", you may need to temporarily disable iptables or add a static entry for the destination ip address.
Make page private
