This is a sample that you can use for your web hosting/vps. It's pretty basic, really. Kindly uncomment entries that you think you'll need. Make sure you backup your old config in-case a fuck up happens. Else, proceed with caution and have fun!
#######iptables begin
# Generated by iptables-save v1.3.5 on Mon Mar 8 15:30:21 2010
*mangle
:PREROUTING ACCEPT [53641:56160765]
:INPUT ACCEPT [53641:56160765]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44557:9348034]
:POSTROUTING ACCEPT [44557:9348034]
COMMIT
# Completed on Mon Mar 8 15:30:21 2010
# Generated by iptables-save v1.3.5 on Mon Mar 8 15:30:21 2010
*filter
:INPUT DROP [57:3312]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:VZ_FORWARD - [0:0]
:VZ_INPUT - [0:0]
:VZ_OUTPUT - [0:0]
-A INPUT -j VZ_INPUT
-A FORWARD -j VZ_FORWARD
-A OUTPUT -j VZ_OUTPUT
### allow incoming icmp
-A VZ_INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A VZ_INPUT -p icmp -s 0/0 -d
#
# Drop stealth scans
-A VZ_INPUT -i
-A VZ_INPUT -i
-A VZ_INPUT -i
-A VZ_INPUT -i
-A VZ_INPUT -i
-A VZ_INPUT -i
#
-A VZ_INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A VZ_INPUT -p udp -m udp --dport 53 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 32768:65535 -j ACCEPT
-A VZ_INPUT -p udp -m udp --dport 32768:65535 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 8880 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A VZ_INPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -j ACCEPT
-A VZ_INPUT -s 127.0.0.1 -d 127.0.0.1 -p udp -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 32768:65535 -j ACCEPT
#########################################################
# Drop all incoming malformed XMAS packets
-A VZ_INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop all incoming malformed NULL packets
-A VZ_INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Bad incoming source ip address 0.0.0.0/8
-A VZ_INPUT -s 0.0.0.0/8 -j DROP
#if you're using local communication, comment this.
#i'm not sure if it will disturb it, but just in case..
# Bad incoming source ip address 127.0.0.0/8
#-A VZ_INPUT -s 127.0.0.0/8 -j DROP
# Bad incoming source ip address 10.0.0.0/8
-A VZ_INPUT -s 10.0.0.0/8 -j DROP
# Bad incoming source ip address 172.16.0.0/12
-A VZ_INPUT -s 172.16.0.0/12 -j DROP
# Bad incoming source ip address 192.168.0.0/16
-A VZ_INPUT -s 192.168.0.0/16 -j DROP
# Bad incoming source ip address 224.0.0.0/3
-A VZ_INPUT -s 224.0.0.0/3 -j DROP
#######################################################
#allow outgoing icmp
-A VZ_OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
-A VZ_OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 110 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A VZ_OUTPUT -p udp -m udp --sport 53 -j ACCEPT
-A VZ_OUTPUT -p tcp -j ACCEPT
-A VZ_OUTPUT -p udp -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 8880 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 8443 -j ACCEPT
-A VZ_OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -j ACCEPT
-A VZ_OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p udp -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 20:21 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 32768:65535 -j ACCEPT
COMMIT
# Completed on Mon Mar 8 15:30:21 2010
# Generated by iptables-save v1.3.5 on Mon Mar 8 15:30:21 2010
*nat
:PREROUTING ACCEPT [6142:368537]
:POSTROUTING ACCEPT [315:20384]
:OUTPUT ACCEPT [315:20384]
COMMIT
# Completed on Mon Mar 8 15:30:21 2010
####iptables-end#
That's all. Restart iptables after editing.
/etc/init.d/iptables restart
Sources:
http://www.homepage.montana.edu/~unixuser/031705/iptables.fedora.html
http://bash.cyberciti.biz/security/linux-virtuozzo-vps-firewall-script-2/
http://forums.vpslink.com/linux/865-iptables-error-weird-character-interface-venet0-0-a.html
No comments:
Post a Comment