Below is a ‘template’ firewall for a single server HSphere install
Notes:
192.168.1.1 is the example base IP address of the server, You need to change this
192.168.1.2 is *your* IP address. You *must* change this otherwise you’ll lock yourself out of the server.
This example would be saved to file /etc/sysconfig/iptables
You need to load the ip_conntrack_ftp module into the kernel when iptables is started. You add this module name in /etc/rc.d/init.d/iptables
Change;
IPTABLES_MODULES=””
To;
IPTABLES_MODULES=”ip_conntrack_ftp”
################################################## #####
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:BLOCK_NET – [0:0]
# Handle Passive FTP (remember to enable ip_conntrack_ftp module)
-A OUTPUT -p tcp -m tcp -m state –dport 1024:65535 –sport 1024:65535 –state RELATED,ESTABLISHED -j ACCEPT
# Server Base IP address
-A INPUT -s 192.168.1.1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Management IPs (VERY IMPORTANT TO PUT YOUR IP HERE otherwise you’ll be locked out)
-A INPUT -s 192.168.1.2 -j ACCEPT
# End Management IPs
# Run Block bad networks chain
-A INPUT -j BLOCK_NET
# Handle Passive FTP (remember to enable ip_conntrack_ftp module in the iptables init script)
A INPUT -p tcp -m tcp -m state –dport 1024:65535 –sport 1024:65535 –state ESTABLISHED -j ACCEPT
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 20:21 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 53 -j ACCEPT
-A INPUT -p udp -m udp –dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 113 -j DROP
-A INPUT -p tcp -m tcp –dport 135 -j DROP
-A INPUT -p tcp -m tcp –dport 136 -j DROP
-A INPUT -p tcp -m tcp –dport 137 -j DROP
-A INPUT -p tcp -m tcp –dport 138 -j DROP
-A INPUT -p tcp -m tcp –dport 139 -j DROP
-A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 445 -j DROP
-A INPUT -p tcp -m tcp –dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 593 -j DROP
-A INPUT -p tcp -m tcp –dport 777 -j DROP
-A INPUT -p tcp -m tcp –dport 778 -j DROP
-A INPUT -p tcp -m tcp –dport 837 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 1025 -j DROP
-A INPUT -p tcp -m tcp –dport 1080 -j DROP
-A INPUT -p tcp -m tcp –dport 1434 -j DROP
-A INPUT -p tcp -m tcp –dport 1433 -j DROP
-A INPUT -p tcp -m tcp –dport 3128 -j DROP
-A INPUT -p tcp -m tcp –dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 4321 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 4444 -j DROP
-A INPUT -p tcp -m tcp –dport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 6667 -j DROP
-A INPUT -p tcp -m tcp –dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 8443 -j ACCEPT
-A INPUT -p udp -m udp –dport 137:138 –sport 137:138 -j DROP
# Logging to /var/log/messages
-A INPUT -p tcp -m tcp -j LOG –log-prefix “AUDIT TCP “
-A INPUT -p tcp -m tcp -j REJECT –reject-with tcp-reset
-A INPUT -p udp -m udp -j LOG –log-prefix “AUDIT UDP “
-A INPUT -p udp -m udp -j REJECT –reject-with icmp-port-unreachable
-A INPUT -p icmp -m icmp –icmp-type 8 -j LOG
# mangle section
*mangle
REROUTING ACCEPT [1591876424:227299011220]
:INPUT ACCEPT [1591816598:227294667655]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1765890237:977040975279]
:POSTROUTING ACCEPT [1765890154:977040909847]COMMIT
# NAT section
*nat
PREROUTING ACCEPT [10032111:558215684]
:POSTROUTING ACCEPT [5152283:290989829]
:OUTPUT ACCEPT [3923347:241838349]
COMMIT
################################################## #####