Thanks to:
http://bencane.com/2012/09/17/iptables-linux-firewall-rules-for-a-basic-web-server/
http://www.linux.org/threads/base-iptables-rules-that-will-apply-to-virtually-any-web-server.10/ (used this script with modifications)

NOTES:

Here is a simple script that allows all outbound connections and the inbound connections coming back from those outbound connections (conntrack). Also port 80 and port 22 and port 443 are allowed in. A few more rules as well. Some rules are commented out for your use. Make sure you have an alternate connection because if you block yourself out of ssh, you might be out of luck (restarting the pc/server will clear the rules, unless you have a setting that says on boot read these iptables)

CLEAR ALL:

Clear all rules (this is good to keep handy, maybe save it as a script called iptables-clear-all.sh):

MAIN TABLE:

I use that to start off my iptables main script, first i clear previous rules with the above script then I get into the good stuff.

Notes: The synflood was commented out because my iptables didnt like the second command, it said some error came about. Also the DNS rules I crossed out as this is not a dns server, so the only dns traffic ill be doing is connecting to a dns server (and receiving traffic back from one but thats handled by conntrack). So everything below experimental you can choose to leave out if you want, however everything above worked 100% for me. My wordpress is still alive.

HOW TO LOAD IT ON BOOT:

Save the above into a readable and executable script and just have /etc/rc.local load it.

Pretend I saved the script as /etc/iptables.sh

chmod +x /etc/iptables.sh

In my rc.local, I would put (above the exit 0)

 HOW TO MONITOR ITS WORKINGS:

This will show you live counters, whats blocked and accepted:

watch -n0 “iptables -nvL”

OR see the differences with watch (they will be highlighted):
 watch -n0 -d “iptables -nvL”
Might want to slow down the interval:
 watch -n2 -d “iptables -nvL”
More watch script variations to see differences:
Make shift difference script with watch: 

watch -n0 “(iptables -nvL > /tmp/now123); (diff -U0 /tmp/prev123 /tmp/now123 > /tmp/diff); (cat /tmp/diff); (mv -f /tmp/now123 /tmp/prev123);”

Slow it down some:
watch -n2 “(iptables -nvL > /tmp/now123); (diff -U0 /tmp/prev123 /tmp/now123 > /tmp/diff); (cat /tmp/diff); (mv -f /tmp/now123 /tmp/prev123);”

While loop scripts to watch iptables:

While loop watch iptables:
while true; do iptables -nvL; sleep 1; done;
Same script with while loop – difference:
while true; do iptables -nvL > /tmp/now123; diff -U0 /tmp/prev123 /tmp/now123 > /tmp/diff; clear; cat /tmp/diff; mv -f /tmp/now123 /tmp/prev123; sleep 1; done

Leave a Reply

Your email address will not be published. Required fields are marked *