Enabling firewall on a public server

advertisement
Enabling firewall on a public server (i.e. server accessible from the internet)
1) Use system-config-securitylevel command to configure basic firewall.
2) Do basic ssh checking (try to login to the server from visitor network).
3) Fine tune the firewall settings/Allow access ONLY to required
ports/services.
4) chkconfig iptables on
5) Test again from visitor network and ensure required services are accessible
and non-required services are NOT accessible.
In the following example we are opening firewall for 22 (ssh), 4812 (archive
engine), 3306 (MySQL), UDP+TCP 5064 (one IOC) and for 61616 port for JMS.
# system-config-securitylevel
Click on Apply and exit. This will create /etc/sysconfig/iptables file.
# service iptables start
Check ssh access from visitor network.
Fine tune the firewall/Lockdown everything except what is permitted. Do this by editing
/etc/sysconfig/iptables file.
# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4812 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4812 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5064 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 5064 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 61616 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 61616 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Normally /etc/sysconfig/iptables-config would look like this # cat /etc/sysconfig/iptables-config | grep -v "^#" | grep -v "^$"
IPTABLES_MODULES=" ip_conntrack_netbios_ns "
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"
IPTABLES_STATUS_VERBOSE="no"
IPTABLES_STATUS_LINENUMBERS="yes"
To enable iptables at boot time issue command –
# chkconfig iptables on
To start iptables –
# service iptables start
Minor issues - “service iptables start” command won’t start iptables !
Probable cause - /etc/sysconfig/iptables file missing. Just for troubleshooting you can create it by issuing
command “touch /etc/sysconfig/iptables” Or you get this file created by issuing “system-configsecuritylevel” command and selecting the defaults.
Download