View previous topic :: View next topic |
Author |
Message |
stunirvana21 n00b

Joined: 24 May 2011 Posts: 41
|
Posted: Thu Aug 15, 2013 9:39 pm Post subject: [Solved] Configuring iptables |
|
|
I am trying to set up a firewall on my web/email server. I have come up with the list of following rules, but when I enable them, I lose the ability to use roundcube. I can't figure out which ports I need to open to allow for this.
My rules:
Code: |
/sbin/iptables -F
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s x.a.com -j ACCEPT ##where x is the hostname and a is the domain
/sbin/iptables -A INPUT -i eth0 -s a.com -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p TCP --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p TCP --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p TCP --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p TCP --dport 110 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p TCP --dport 143 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p TCP --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p TCP --dport 993 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p TCP --dport 995 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p TCP --dport 2222 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -j DROP
|
I have 2222 open because I am running ssh on that port instead of 22. I am running postfix, dovecot, apache, ssh, and roundcube. Those are the only services I need to have ports open for.
EDIT: Updated rules
Last edited by stunirvana21 on Thu Aug 15, 2013 10:43 pm; edited 2 times in total |
|
Back to top |
|
 |
PaulBredbury Watchman


Joined: 14 Jul 2005 Posts: 7310
|
Posted: Thu Aug 15, 2013 10:17 pm Post subject: Re: Configuring iptables |
|
|
Your ruleset is incomplete, I suggest you google for an example ruleset.
E.g. you are missing:
Code: | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
|
|
Back to top |
|
 |
stunirvana21 n00b

Joined: 24 May 2011 Posts: 41
|
Posted: Thu Aug 15, 2013 10:33 pm Post subject: Re: Configuring iptables |
|
|
PaulBredbury wrote: | Your ruleset is incomplete, I suggest you google for an example ruleset.
E.g. you are missing:
Code: | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
|
I added that one at one point, but it didn't appear to help so I removed it.
I was going to try to do logging and see what port(s) were being blocked when I accessed roundcube. However, I don't have that module in the kernel and I am running a paravirtual kernel on a VM server I don't have control of.
Also, see my updated rules in the first post. |
|
Back to top |
|
 |
stunirvana21 n00b

Joined: 24 May 2011 Posts: 41
|
Posted: Thu Aug 15, 2013 10:43 pm Post subject: |
|
|
Actually, I think what PaulBredbury suggested fixed my issue. I swear I tried it before, but maybe I didn't have the rules for my host.domain and domain in then. |
|
Back to top |
|
 |
|