Hi I follow your the good tutorial to install ISPconfig : The Perfect Server – Debian 8 Jessie (Apache2, BIND, Dovecot, ISPConfig 3) but I have some questions about iptables config. ==> What is the best IPTABLES config after install ISPconfig ? for a simple web server (dns / apache / local mysql) with 2/3 websites ? ==> Can you help me to configure ? (For example I see MySQL port open with distant nmap and that is no good) Thanks. My current ISPCONFIG SERVICES : Code: Web-Server: Online FTP-Server: Online SMTP-Server: Online POP3-Server: Online IMAP-Server: Online DNS-Server: Online mySQL-Server: Online My current IPTABLES CONFIG : Code: iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-postfix-sasl tcp -- anywhere anywhere multiport dports smtp fail2ban-pureftpd tcp -- anywhere anywhere multiport dports ftp fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-dovecot-pop3imap (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-postfix-sasl (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-pureftpd (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere NMAP OPEN PORT TEST Code: ~ nmap -T4 -F XXX.XXX.XXX.XXX Starting Nmap 7.12 ( https://nmap.org ) Nmap scan report for Host is up (0.054s latency). Not shown: 85 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp filtered smtp 53/tcp open domain 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 465/tcp open smtps 587/tcp open submission 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql 8080/tcp open http-proxy 8081/tcp open blackice-icecap Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds
Literally all ports are open considering you haven't specified a REJECT rule in your INPUT chain (the default policy ACCEPT is used if no matching rule is encountered), therefore all inbound connections are accepted. To accomodate the use of conntrack later on, we first have to setup a rule to allow ESTABLISHED connections: Code: iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT After that, add a REJECT rule at the end of the INPUT chain: Code: iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited Do the same for the FORWARD chain: Code: iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited Since you have no rules specified at all, this will close all ports. I recommend to add an additional chain for your services: Code: iptables -N SERVICES Refer to it in your INPUT chain (Note: the line number supplied is dependant on the rules present in your INPUT chain, if you have modified your INPUT chain in the mean time, adjust this number accordingly, it must come before the REJECT rule): Code: iptables -I INPUT 6 -j SERVICES Start adding your services to the SERVICES chain (replace port 80 with whatever service you want to open): Code: iptables -A SERVICES -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT Without saving, all rules will be lost after an iptables restart (reboot), to save the rules issue the following command: Code: service iptables save If your server is IPv6 enabled, repeat the process for your ip6tables.
For those services, you need to allow udp port 53, and tcp ports 53,80,443 and whatever ispconfig runs on, eg. 8080. You might also want ssh access, which is tcp port 22. If you need FTP, allow tcp port 21 (and maybe a port range for data connections, see http://www.faqforge.com/linux/contr...ange-in-pure-ftpd-on-denian-and-ubuntu-linux/), and you must allow RELATED connections. An alternative to creating an entire iptables ruleset manually as above would be to install ufw and let ispconfig add the firewall rules for you. Or even from the cli, with: Code: # apt-get install ufw # ufw allow 53/udp # ufw allow 22/tcp # ufw allow 53/tcp # ufw allow 80/tcp # ufw allow 443/tcp # ufw allow 8080/tcp # ufw enable And for FTP with passive port range from the faq add: Code: # ufw allow 21/tcp # ufw allow 40110:40210/tcp