Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Firewall on fedora with cpanel/whm service

Discussion in 'General Discussion' started by Grzeslaw, Aug 18, 2006.

  1. Grzeslaw

    Grzeslaw Well-Known Member

    Joined:
    Jul 11, 2006
    Messages:
    76
    Likes Received:
    1
    Trophy Points:
    158
    Location:
    Poland
    Hi

    First of all I won't to tell, that I'am not very well with configuring the firewalls.
    But I don't disappear any generators or sth, I prefer clear code. So I wrote the following rules:

    Code:
    
    #!/bin/bash
          
    HOSTIP=XX.XX.XX.XX
    
    firewall_start() {
        echo "Starting Firewall..."
        /sbin/iptables -F 
        /sbin/iptables -P INPUT DROP 
        /sbin/iptables -P FORWARD DROP
        /sbin/iptables -P OUTPUT ACCEPT
    
        /sbin/iptables -A INPUT -i lo -j ACCEPT
        /sbin/iptables -A OUTPUT -o lo -j ACCEPT
        /sbin/iptables -A FORWARD -o lo -j ACCEPT
            
    #  INPUT
            
        # TCP
        /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 21    -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 25    -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 53    -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 80    -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 110   -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 143   -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 465   -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 953   -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 993   -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 999   -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2082  -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2083  -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2084  -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2086  -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2087  -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2095  -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2096  -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 3306  -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 6666  -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 7786  -mstate --state NEW -j ACCEPT
        #UDP
        /sbin/iptables -A INPUT -p udp -s 0/0 -d $HOSTIP --dport 53    -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p udp -s 0/0 -d $HOSTIP --dport 6277  -mstate --state NEW -j ACCEPT
    
    
    # BLOCKS
     
       # ECN
       if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then
               echo 0 > /proc/sys/net/ipv4/tcp_ecn
       fi
    
       # ANTY-SPOOF 
        echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
    
       # HOLES
       /sbin/iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
       /sbin/iptables -A INPUT -p tcp --dst 0/0 --dport 113  -j REJECT --reject-with icmp-port-unreachable
       /sbin/iptables -A INPUT -p tcp --dst 0/0 --dport 1080 -j REJECT --reject-with icmp-port-unreachable
    
    
    #  LOG
    #   /sbin/iptables -A INPUT -j LOG --log-prefix "bad input:"
       /sbin/iptables -A INPUT -m state --state INVALID -m limit --limit 5/minute -j LOG 
    
       /sbin/modprobe ip_conntrack_ftp
       /sbin/modprobe ip_conntrack
       /sbin/modprobe ip_nat_ftp
    
    }
    
    firewall_stop(){
        echo "Stop the Firewall..."
        /sbin/iptables -F
        /sbin/iptables -t nat -F
        /sbin/iptables -P INPUT DROP
        /sbin/iptables -P FORWARD DROP
        /sbin/iptables -P OUTPUT DROP
    
    }
    
    firewall_flush()
    {
        /sbin/iptables -P INPUT ACCEPT
        /sbin/iptables -P OUTPUT ACCEPT
        /sbin/iptables -P FORWARD ACCEPT
        /sbin/iptables -F
    
    }
    
    case "$1" in
        'start')
                firewall_start
                ;;
        'stop')
                firewall_stop
                ;;
        'restart')
                firewall_stop
                sleep 1
                firewall_start
                ;;
            'flush')
                    firewall_flush
                    ;;
            'temp')
                    firewall_stop
                    sleep 1
                    firewall_start
                    sleep 40
                    firewall_flush
                    ;;
            *)
                    echo "usage $0 start|stop (-P DROP)|restart|flush (-P ACCEPT)|temp (time 40s)"
                    ;;
    esac
    
    I have fedora5 with the services: http + SSL, exim + SSL, clamav, SSH, pro-ftpd +SSL, named, spamassasin, boxtrapper, ntp, mysql, postgresql.
    When I inurement the rules, looks that everythink all wright, but I could be wrong, because I'am entrant . Can anyone tell me what I missed or sth ?

    Greetings.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. Grzeslaw

    Grzeslaw Well-Known Member

    Joined:
    Jul 11, 2006
    Messages:
    76
    Likes Received:
    1
    Trophy Points:
    158
    Location:
    Poland
    For the time bening it works nice =)
    Any attentions ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice