Firewall on fedora with cpanel/whm service

[Grzeslaw]

Hi

First of all I won't to tell, that I'am not very well with configuring the firewalls.
But I don't disappear any generators or sth, I prefer clear code. So I wrote the following rules:

Code:

#!/bin/bash
      
HOSTIP=XX.XX.XX.XX

firewall_start() {
    echo "Starting Firewall..."
    /sbin/iptables -F 
    /sbin/iptables -P INPUT DROP 
    /sbin/iptables -P FORWARD DROP
    /sbin/iptables -P OUTPUT ACCEPT

    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A OUTPUT -o lo -j ACCEPT
    /sbin/iptables -A FORWARD -o lo -j ACCEPT
        
#  INPUT
        
    # TCP
    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 21    -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 25    -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 53    -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 80    -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 110   -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 143   -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 465   -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 953   -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 993   -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 999   -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2082  -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2083  -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2084  -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2086  -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2087  -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2095  -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2096  -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 3306  -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 6666  -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 7786  -mstate --state NEW -j ACCEPT
    #UDP
    /sbin/iptables -A INPUT -p udp -s 0/0 -d $HOSTIP --dport 53    -mstate --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p udp -s 0/0 -d $HOSTIP --dport 6277  -mstate --state NEW -j ACCEPT


# BLOCKS
 
   # ECN
   if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then
           echo 0 > /proc/sys/net/ipv4/tcp_ecn
   fi

   # ANTY-SPOOF 
    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

   # HOLES
   /sbin/iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
   /sbin/iptables -A INPUT -p tcp --dst 0/0 --dport 113  -j REJECT --reject-with icmp-port-unreachable
   /sbin/iptables -A INPUT -p tcp --dst 0/0 --dport 1080 -j REJECT --reject-with icmp-port-unreachable


#  LOG
#   /sbin/iptables -A INPUT -j LOG --log-prefix "bad input:"
   /sbin/iptables -A INPUT -m state --state INVALID -m limit --limit 5/minute -j LOG 

   /sbin/modprobe ip_conntrack_ftp
   /sbin/modprobe ip_conntrack
   /sbin/modprobe ip_nat_ftp

}

firewall_stop(){
    echo "Stop the Firewall..."
    /sbin/iptables -F
    /sbin/iptables -t nat -F
    /sbin/iptables -P INPUT DROP
    /sbin/iptables -P FORWARD DROP
    /sbin/iptables -P OUTPUT DROP

}

firewall_flush()
{
    /sbin/iptables -P INPUT ACCEPT
    /sbin/iptables -P OUTPUT ACCEPT
    /sbin/iptables -P FORWARD ACCEPT
    /sbin/iptables -F

}

case "$1" in
    'start')
            firewall_start
            ;;
    'stop')
            firewall_stop
            ;;
    'restart')
            firewall_stop
            sleep 1
            firewall_start
            ;;
        'flush')
                firewall_flush
                ;;
        'temp')
                firewall_stop
                sleep 1
                firewall_start
                sleep 40
                firewall_flush
                ;;
        *)
                echo "usage $0 start|stop (-P DROP)|restart|flush (-P ACCEPT)|temp (time 40s)"
                ;;
esac

I have fedora5 with the services: http + SSL, exim + SSL, clamav, SSH, pro-ftpd +SSL, named, spamassasin, boxtrapper, ntp, mysql, postgresql.
When I inurement the rules, looks that everythink all wright, but I could be wrong, because I'am entrant . Can anyone tell me what I missed or sth ?

Greetings.

[Grzeslaw]

For the time bening it works nice =)
Any attentions ?