[wplug] IPTABLES help

Ted Rodgers ted.d.rodgers at gmail.com
Thu Aug 16 15:47:55 EDT 2012


>> I need two iptables scripts. One will run on my VPS server and only
>> allow apache connection requests as well as ssh connection requests, I
>> want all other traffic blocked.

The script for your VPC could be done a couple ways.
Here's a method that should prevent you from shooting yourself in the
foot, just replace <username> with your user's name:


1) create the file /home/<username>/lockout and add the following lines to it:

#!/bin/bash

# change default polity to ACCEPT
iptables -P INPUT ACCEPT

# remove INPUT filters
iptables -F INPUT

# provide a 60 second window for you to connect if you lockyourself out
sleep 60s

# allow any existing or related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow apache port 80
iptables -A INPUT -p tcp   --dport 80                  -j ACCEPT

# allow apache ssl
iptables -A INPUT -p tcp   --dport 443                 -j ACCEPT

#allow ssh
iptables -A INPUT -p tcp   --dport 22                  -j ACCEPT

# change default INPUT policy to DROP
iptables -P INPUT DROP


2) Once you have that file, make it executable:
# chmod /home/<username>/lockout

3) Then set a cron job for root to run the coommand every 15 minutes.
As root (or using sudo):

crontab -e

*/15 * * * * /home/<username>/lockout

Again, make sure to replace the <username> in the path.  The script
will flush all INPUT filters 60 seconds, then only allow ports for
apache and ssh and flip policy to DROP.

Once you are sure it works, and it should, you can make the chances
permanent by entering the uncomment lines past the sleep command and
using "iptables save" before setting your iptables service to start at
system startup. If you make it permanent, you'll also want to clear
out the cron job too:
# crontab -r

(or you can use crontab -e to delete the line if other crons are listed)


>> The second script will run on my home
>> server and block all traffic that did not originate from the server.
>> Also can someone tell me what to add to cron so that it flushes the
>> rules every 15 minutes while I test the scripts to make sure I don't
>> lock myself out from the VPS. Thanks!!!


For your other system, I'm not clear what you are asking. Be specific
and explain because "block all" would imply you may as well unplug the
nic.

Ted


More information about the wplug mailing list