Add to collection(s) Add to saved
  1. Social Science
  2. Political Science
  3. Media

Enabling firewall on a public server

advertisement 
Enabling firewall on a public server (i.e. server accessible from the internet)
1) Use system-config-securitylevel command to configure basic firewall.
2) Do basic ssh checking (try to login to the server from visitor network).
3) Fine tune the firewall settings/Allow access ONLY to required
ports/services.
4) chkconfig iptables on
5) Test again from visitor network and ensure required services are accessible
and non-required services are NOT accessible.
In the following example we are opening firewall for 22 (ssh), 4812 (archive
engine), 3306 (MySQL), UDP+TCP 5064 (one IOC) and for 61616 port for JMS.
# system-config-securitylevel
Click on Apply and exit. This will create /etc/sysconfig/iptables file.
# service iptables start
Check ssh access from visitor network.
Fine tune the firewall/Lockdown everything except what is permitted. Do this by editing
/etc/sysconfig/iptables file.
# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4812 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4812 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5064 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 5064 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 61616 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 61616 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Normally /etc/sysconfig/iptables-config would look like this # cat /etc/sysconfig/iptables-config | grep -v "^#" | grep -v "^$"
IPTABLES_MODULES=" ip_conntrack_netbios_ns "
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"
IPTABLES_STATUS_VERBOSE="no"
IPTABLES_STATUS_LINENUMBERS="yes"
To enable iptables at boot time issue command –
# chkconfig iptables on
To start iptables –
# service iptables start
Minor issues - “service iptables start” command won’t start iptables !
Probable cause - /etc/sysconfig/iptables file missing. Just for troubleshooting you can create it by issuing
command “touch /etc/sysconfig/iptables” Or you get this file created by issuing “system-configsecuritylevel” command and selecting the defaults.
Related documents
IPtables Tips and Tricks-3
IPtables Tips and Tricks-3
Solving the Problems of FTP
Solving the Problems of FTP
Exam Overview
Exam Overview
Firewalls
Firewalls
CSAS 3211 Practice - Seton Hall University Pirate Server
CSAS 3211 Practice - Seton Hall University Pirate Server
04_UDP
04_UDP
Network Protocols
Network Protocols
접근 통제 시스템 Access Control System
접근 통제 시스템 Access Control System
上課要求(Network Requirement)
上課要求(Network Requirement)
List of new Commercial VSAT licencees
List of new Commercial VSAT licencees
8.
8.
Download
advertisement