Re: [bitfolk] The perils of opening tcp/22 to the Internet

On Mon, 15 Mar 2010 23:30:59 +0000 Graham Bleach <graham(a)darkskills.org.uk> wrote: OK but not in lenny, so I looked for an online guide and found http://www.mista.nu/iptables/ amongst others, some seemed very complicated but I can almost understand what 'mista' generated: #!/bin/sh IPT="/sbin/iptables" # Flush old rules, old custom tables $IPT --flush $IPT --delete-chain # Set default policies for all three default chains $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP Comment: This appears to remove any existing rules, setup defaults which match what I currently have, then create some new rules. # Enable free use of loopback interfaces $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # All TCP sessions should begin with SYN $IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP Comment: I don't know what the 'TCP sessions' line means but it may well be a good thing as is the loopback devices section. # Accept inbound TCP packets $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -m state --state NEW -s 0.0.0.0/0 -ACCEPT $IPT -A INPUT -p tcp --dport 110 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT Comment: I presume I can change --dport 22 to my chosen port as set in /etc/ssh/sshd_config and change 0.0.0.0/0 to the IP address of this system to further restrict ssh access. I guess I need to open up http access to everyone to avoid blocking access to the webpages I have available. I am not sure if I need the pop3 line. but I do use an @startx.co.uk email address on the server. # Accept outbound packets $IPT -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT Comment: I guess I need to allow outgoing packets Do these rules look OK and are they sufficient? Yup! -- John Lewis Debian & the GeneWeb genealogical data server