help me find iptables file and harden my server

Discussion in 'Installation/Configuration' started by alyarb, May 4, 2012.

  1. alyarb

    alyarb New Member

    Hey guys, I am pretty new to linux in general but I really like ISPConfig so we are using that for a few services...

    I set up a VM and followed this guide exactly:

    http://www.howtoforge.com/perfect-server-debian-squeeze-with-bind-and-dovecot-ispconfig-3

    so now that everything is setup, I need to put together the strictest firewall that I can while still giving myself access to the necessary ports.

    I really despise the firewall configurator that you get to by browsing to System -> Firewall -> Basic. As far as I can see, all you can do is open or close ports with it, which is not going to be flexible enough for me.

    I got excited when I hit the Monitor tab, at the very bottom, you can hit "show IPTables" and it will show you the iptables rules that are in effect. I want to add and modify rules to this file with the iptables commands that I know how to write.

    Here's what is there now:
    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT ACCEPT
    -N INT_IN
    -N INT_OUT
    -N PAROLE
    -N PUB_IN
    -N PUB_OUT
    -N fail2ban-dovecot-pop3imap
    -N fail2ban-pureftpd
    -N fail2ban-ssh
    -A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -s 208.66.47.19/32 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -s 224.0.0.0/4 -j DROP
    -A INPUT -i eth+ -j PUB_IN
    -A INPUT -i ppp+ -j PUB_IN
    -A INPUT -i slip+ -j PUB_IN
    -A INPUT -i venet+ -j PUB_IN
    -A INPUT -i bond+ -j PUB_IN
    -A INPUT -j DROP
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -j DROP
    -A OUTPUT -o eth+ -j PUB_OUT
    -A OUTPUT -o ppp+ -j PUB_OUT
    -A OUTPUT -o slip+ -j PUB_OUT
    -A OUTPUT -o venet+ -j PUB_OUT
    -A OUTPUT -o bond+ -j PUB_OUT
    -A INT_IN -p icmp -j ACCEPT
    -A INT_IN -j DROP
    -A INT_OUT -p icmp -j ACCEPT
    -A INT_OUT -j ACCEPT
    -A PAROLE -j ACCEPT
    -A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A PUB_IN -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A PUB_IN -p tcp -m tcp --dport 20 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 21 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 25 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 53 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 110 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 143 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 443 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 993 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 995 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 3306 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 8080 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 8081 -j PAROLE
    -A PUB_IN -p tcp -m tcp --dport 10000 -j PAROLE
    -A PUB_IN -p udp -m udp --dport 53 -j ACCEPT
    -A PUB_IN -p udp -m udp --dport 3306 -j ACCEPT
    -A PUB_IN -p icmp -j DROP
    -A PUB_IN -j DROP
    -A PUB_OUT -j ACCEPT
    -A fail2ban-dovecot-pop3imap -j RETURN
    -A fail2ban-pureftpd -j RETURN
    -A fail2ban-ssh -j RETURN

    But of course I want to only allow HTTP/HTTPS to clients, and restrict every other service to only a couple of source addresses that we use for administration. So I assume this iptables rule file is just a text file somewhere that I can get to? But where?

    Also, I want to learn more about fail2ban and how I can permanently ban repeat offenders.

    Thanks!
     
  2. falko

    falko Super Moderator Howtoforge Staff

    The firewall rules you see are generated by ISPConfig's firewall (plus a few fail2ban rules). I don't know if you can achieve what you want with that firewall, however, you can check out its configuration - it's in the /etc/Bastille directory.
     

Share This Page