-
Notifications
You must be signed in to change notification settings - Fork 2
sysadmin global firewall 03102011
Yannouk edited this page Jul 5, 2012
·
1 revision
Made by : olbat
Date: 03/10/2011
Currently applied on : papilusion
Configuring firewall rules to only allow connections on http and ssh ports, do not reset on forbidden connect.
OVH monitoring backend needs the following entrances, see http://guides.ovh.com/FireWall
/sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.rbx2.ovh.net -j ACCEPT /sbin/iptables -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT /sbin/iptables -A INPUT -i eth0 -p icmp --source IP.250 -j ACCEPT # IP = aaa.bbb.ccc obtenue selon la règle precedente /sbin/iptables -A INPUT -i eth0 -p icmp --source IP.249 -j ACCEPT # temporaire, seulement pour serveurs HG /sbin/iptables -A INPUT -i eth0 -p icmp --source IP.251 -j ACCEPT # IP pour system de monitoring
- user : root
- host : papilusion
- date : 03/10/11 21:59
- curpath: /root
- Authorize traffic input related to an connection initialized by the host in priority
root@papilusion# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- Authorized traffic after
root@papilusion# iptables -A INPUT -i lo -j ACCEPT
root@papilusion# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
root@papilusion# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
- Deny every other kind of traffic
root@papilusion# iptables -P INPUT DROP
- Create auto-saving and auto-loading scripts
root@papilusion# iptables-save -c > /etc/iptables.rules
- Edit /etc/network/if-post-down.d/iptables-save, see [1]
root@papilusion# chmod +x /etc/network/if-post-down.d/iptables-save
- Edit /etc/network/if-pre-up.d/iptables-load, see [2]
- [1] Edit /etc/network/if-post-down.d/iptables-save
--- old 2011-10-03 22:03:00.000000000 +0200 +++ new 2011-10-03 22:04:09.000000000 +0200 @@ -0,0 +1,3 @@ +#!/bin/sh +iptables-save -c > /etc/iptables.rules +exit 0
- [2] Edit /etc/network/if-pre-up.d/iptables-load
--- old 2011-10-03 22:04:54.000000000 +0200 +++ new 2011-10-03 22:05:05.000000000 +0200 @@ -0,0 +1,3 @@ +#!/bin/sh +iptables-restore < /etc/iptables.rules +exit 0