The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Firewall on fedora with cpanel/whm service

Discussion in 'General Discussion' started by Grzeslaw, Aug 18, 2006.

  1. Grzeslaw

    Grzeslaw Well-Known Member

    Joined:
    Jul 11, 2006
    Messages:
    76
    Likes Received:
    1
    Trophy Points:
    6
    Location:
    Poland
    Hi

    First of all I won't to tell, that I'am not very well with configuring the firewalls.
    But I don't disappear any generators or sth, I prefer clear code. So I wrote the following rules:

    Code:
    
    #!/bin/bash
          
    HOSTIP=XX.XX.XX.XX
    
    firewall_start() {
        echo "Starting Firewall..."
        /sbin/iptables -F 
        /sbin/iptables -P INPUT DROP 
        /sbin/iptables -P FORWARD DROP
        /sbin/iptables -P OUTPUT ACCEPT
    
        /sbin/iptables -A INPUT -i lo -j ACCEPT
        /sbin/iptables -A OUTPUT -o lo -j ACCEPT
        /sbin/iptables -A FORWARD -o lo -j ACCEPT
            
    #  INPUT
            
        # TCP
        /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 21    -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 25    -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 53    -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 80    -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 110   -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 143   -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 465   -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 953   -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 993   -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 999   -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2082  -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2083  -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2084  -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2086  -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2087  -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2095  -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 2096  -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 3306  -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 6666  -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -s 0/0 -d $HOSTIP --dport 7786  -mstate --state NEW -j ACCEPT
        #UDP
        /sbin/iptables -A INPUT -p udp -s 0/0 -d $HOSTIP --dport 53    -mstate --state NEW -j ACCEPT
        /sbin/iptables -A INPUT -p udp -s 0/0 -d $HOSTIP --dport 6277  -mstate --state NEW -j ACCEPT
    
    
    # BLOCKS
     
       # ECN
       if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then
               echo 0 > /proc/sys/net/ipv4/tcp_ecn
       fi
    
       # ANTY-SPOOF 
        echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
    
       # HOLES
       /sbin/iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
       /sbin/iptables -A INPUT -p tcp --dst 0/0 --dport 113  -j REJECT --reject-with icmp-port-unreachable
       /sbin/iptables -A INPUT -p tcp --dst 0/0 --dport 1080 -j REJECT --reject-with icmp-port-unreachable
    
    
    #  LOG
    #   /sbin/iptables -A INPUT -j LOG --log-prefix "bad input:"
       /sbin/iptables -A INPUT -m state --state INVALID -m limit --limit 5/minute -j LOG 
    
       /sbin/modprobe ip_conntrack_ftp
       /sbin/modprobe ip_conntrack
       /sbin/modprobe ip_nat_ftp
    
    }
    
    firewall_stop(){
        echo "Stop the Firewall..."
        /sbin/iptables -F
        /sbin/iptables -t nat -F
        /sbin/iptables -P INPUT DROP
        /sbin/iptables -P FORWARD DROP
        /sbin/iptables -P OUTPUT DROP
    
    }
    
    firewall_flush()
    {
        /sbin/iptables -P INPUT ACCEPT
        /sbin/iptables -P OUTPUT ACCEPT
        /sbin/iptables -P FORWARD ACCEPT
        /sbin/iptables -F
    
    }
    
    case "$1" in
        'start')
                firewall_start
                ;;
        'stop')
                firewall_stop
                ;;
        'restart')
                firewall_stop
                sleep 1
                firewall_start
                ;;
            'flush')
                    firewall_flush
                    ;;
            'temp')
                    firewall_stop
                    sleep 1
                    firewall_start
                    sleep 40
                    firewall_flush
                    ;;
            *)
                    echo "usage $0 start|stop (-P DROP)|restart|flush (-P ACCEPT)|temp (time 40s)"
                    ;;
    esac
    
    I have fedora5 with the services: http + SSL, exim + SSL, clamav, SSH, pro-ftpd +SSL, named, spamassasin, boxtrapper, ntp, mysql, postgresql.
    When I inurement the rules, looks that everythink all wright, but I could be wrong, because I'am entrant . Can anyone tell me what I missed or sth ?

    Greetings.
     
  2. Grzeslaw

    Grzeslaw Well-Known Member

    Joined:
    Jul 11, 2006
    Messages:
    76
    Likes Received:
    1
    Trophy Points:
    6
    Location:
    Poland
    For the time bening it works nice =)
    Any attentions ?
     
Loading...

Share This Page