Bin set 3 Jahren zufrieden mit
http://goodworkaround.com/node/32 auf mein Webdav server.
Unter das Original. Er ersetze wo notwendig
ACCEPT durch
DROP,
Was Ich selbst auch gemacht habe, nur 443 ist geöffnet für Webdav.., die rest steht auf DROP oder ist "auscommentiert' mit #.
Die Text ohne # hab Ich als Beispiel, das Orginal, hier stehen lassen.
/etc/iptables_secure.sh
Code: Alles auswählen
#!/bin/sh
IPT="/sbin/iptables"
# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain
# Set default policies for all three default chains
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# Enable free use of loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# All TCP sessions should begin with SYN
# $IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP
# Accept established connections
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Opening CARP"
$IPT -A INPUT --protocol 112 -j ACCEPT
# Brute force
# Limit the number of ssh connections to 6 per minute
$IPT -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
$IPT -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name SSH -j DROP
# Limit the number of ftp connections to 10 per minute
# $IPT -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP
# $IPT -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name FTP -j DROP
echo "Opening FTP"
$IPT -A INPUT -p tcp --dport 20 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Opening HTTP(S)"
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
echo "Opening SSH"
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
echo "Opening MySQL"
$IPT -A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT
echo "Opening port 7777 - ocfs2"
$IPT -A INPUT -p tcp --dport 7777 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p udp --dport 7777 -j ACCEPT
echo "Opening NTP"
$IPT -A INPUT -p udp --dport 123 -j ACCEPT
$IPT -A INPUT -p tcp --dport 123 -m state --state NEW -j ACCEPT
# echo "Opening all from same subnet"
# $IPT -A INPUT -p tcp -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
# Accept inbound ICMP messages
echo "Opening ping and traceroute"
$IPT -A INPUT -p ICMP --icmp-type 8 -s 0.0.0.0/0 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -s 0.0.0.0/0 -j ACCEPT
/etc/iptables_open.sh
Code: Alles auswählen
#!/bin/sh
echo "Opening firewall"
IPT="/sbin/iptables"
# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain
# Set default policies for all three default chains
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# Enable free use of loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
/etc/init.d/firewall
Code: Alles auswählen
#! /bin/sh
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $portmap
# Required-Stop:
# Should-Start: udev-mtab
# Default-Start: 2
# Default-Stop: 0 6
# Short-Description:
# Description:
### END INIT INFO
. /lib/init/vars.sh
. /lib/lsb/init-functions
case "$1" in
start)
sh /etc/iptables_script.sh
;;
restart|reload|force-reload)
echo "Error: argument '$1' not supported" >&2
exit 3
;;
stop)
sh /etc/iptables_open.sh
;;
*)
echo "Usage: $0 start|stop" >&2
exit 3
;;
esac
Um die FW aktiv zu machen:
Starten:
Stoppen:
FW auto starten bei booten: