logo logo

Firewalling Kloxo with IPTABLES

Hi Folk :)

Just for documentary where i am using Kloxo for my server,  and when i am need just copy paste from my site.

This guides i am put from official Kloxo Wiki, from [ this ]. Don’t ask me what to do or how to it, you just read and try it :) the goal is you can use this to firewalling your server and make firewall as service on your server.

Before your follow this guide, if your using custom SSH Port and Kloxo Port, change some codes in number 2, look in SSH Port line and Kloxo Port line, looking in your server configuration.

1. Stop firewall service, if your enable it before.

root@server# /etc/init.d/iptables stop
root@server# chkconfig iptables off

2. Make file firewall in /etc/init.d/firewall ( can user vim or touch )

root@server# touch /etc/init.d/firewall
root@server# vi /etc/inid.d/firewall

3. Copy paste this code into your files ( /etc/inid.d/firewall )

#!/bin/sh
# firewall
# chkconfig: 3 21 91
# description: Starts, stops iptables firewall

case "$1" in
start)

# Clear rules
iptables -t filter -F
iptables -t filter -X
echo - Clear rules : [OK]

# SSH In
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
echo - SSH : [OK]

# Don't break established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo - established connections : [OK]

# Block all connections by default
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
echo - Block all connections : [OK]

# SYN-Flood Protection
iptables -N syn-flood
iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN
iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD: "
iptables -A syn-flood -j DROP
echo - SYN-Flood Protection : [OK]

# Loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo - Loopback : [OK]

# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
echo - PING : [OK]

# DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
echo - DNS : [OK]

# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
echo - NTP : [OK]

# WHOIS Out
iptables -t filter -A OUTPUT -p tcp --dport 43 -j ACCEPT
echo - WHOIS : [OK]

# FTP Out
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT
# FTP In
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 30000:50000 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo - FTP : [OK]

# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
echo - HTTP/HTTPS : [OK]

# Mail SMTP:25
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
echo - SMTP : [OK]

# Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
echo - POP : [OK]

# Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
echo - IMAP : [OK]

# Kloxo
iptables -t filter -A INPUT -p tcp --dport 7777:7778 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 7777:7778 -j ACCEPT
echo - Kloxo : [OK]

echo - Firewall [OK]
exit 0
;;

stop)
echo "Stopping Firewall... "
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t filter -F
echo "Firewall Stopped!"
exit 0
;;

restart)
/etc/init.d/firewall stop
/etc/init.d/firewall start
;;

*)
echo "Usage: /etc/init.d/firewall {start|stop|restart}"
exit 1
;;
esac

4. Give permission to your firewall files

root@server# chmod 700 /etc/init.d/firewall

5. Add firewall as service

root@server# chkconfig --add firewall

6. Give rules when server started will auto start

root@server# chkconfig --level 2345 firewall on

7. Done for single server and machine. start your firewall rules, but if you have multiple IP and slave server, you must next to step 8.

root@server# /etc/init.d/firewall start

8. If you have multiple IP or VHost you can add this rules to your master machine rules

iptables -t filter -A INPUT -p tcp -s SLAVE_IP --dport 7779 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -d SLAVE_IP --dport 7779 -j ACCEPT

9. And in your slave machine add this in your firewall rules.

iptables -t filter -A INPUT -p tcp -s MASTER_IP --dport 7779 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -d MASTER_IP --dport 7779 -j ACCEPT

10. Done, changes SLAVE_IP and MASTER_IP with your real IP Address.

Okey, this guide just for documentary my self.

Cheers :)

bottom

No Responses to “Firewalling Kloxo with IPTABLES”

Trackbacks/Pingbacks

  1. آیا ساخت پلن در kloxo لازم است ؟ - […] ایران که باید نظر بدن. How to secure kloxo lxadmin with iptables firewall Learning by doing | Firewalling …

Leave a Reply

Your email address will not be published. Required fields are marked *

 

bottom