Amazon iptables

To Next Page

To Previous Page

iptablesrocks.org - Deploying the firewall

-A INPUT -p tcp -m tcp --dport 22 -j LOG_ACCEPT

-A INPUT -p tcp -m tcp --dport 25 -j LOG_ACCEPT

-A INPUT -p tcp -m tcp --dport 43 -j ACCEPT

-A INPUT -p udp -m udp --dport 53 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

#uncomment the next line if you are running Spamassassin on your server

#-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT

-A INPUT -s 127.0.0.1 -j ACCEPT

-A INPUT -p icmp -j icmp_packets

-A INPUT -j LOG_DROP

#Next, we cover the OUTPUT rules, or the rules for all outgoing traffic

#Note how at the end we log any outbound packets that are not accepted.

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT

-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT

#uncomment the next line if you are running Spamassassin on your server

#-A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT

-A OUTPUT -d 127.0.0.1 -j ACCEPT

-A OUTPUT -p icmp -j icmp_packets

-A OUTPUT -j LOG_DROP

#Here we have 2 sets of logging rules. One for dropped packets to log all dropped requests and one for accepted packets, should we wish

to log any accepted requesets.

-A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-tcp-options --log-ip-options

-A LOG_DROP -j DROP

-A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] : " --log-tcp-options --log-ip-options

-A LOG_ACCEPT -j ACCEPT

#And finally, a rule to deal with ICMP requests. We drop all ping requests except from our own server.

# Make sure you replace 1.2.3.4 with the IP address of your server.

-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT

-A icmp_packets -s 1.2.3.4 -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP

-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT

-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT

COMMIT

Save and exit the file.

Now import the firewall into your server's iptables ruleset...

iptables-restore < /root/primary_firewall

If you don't get any errors, your firewall should now be active. So let's take a look at the iptables status and see what it looks like.

iptables -L

http://www.iptablesrocks.org/guide/ruleset.php (2 of 4) [2/13/2004 8:04:54 PM]

Amazon iptables

Related product manuals