Iptables help

[seven01]

Hi

I trying to set up iptables for my vsp but i need some help to get a script that secures the server. The only task the server has is to handle accepted users that connect trough two different dns-adresses and ofcause the possibility for me to connect by ssh.

I like to have the these ports open:

ssh (port 900)
port 15000


This script is what i come up with this far:

Code:

# Generated by iptables-save v1.3.1 on Sun Apr 23 05:32:09 2006 *filter 
:INPUT ACCEPT [273:55355] 
:FORWARD ACCEPT [0:0] 
:LOGNDROP - [0:0] 
:OUTPUT ACCEPT [92376:20668252] 
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 900 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 15000 -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -j LOGNDROP 
-A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "Denied TCP: " --log-level 7 
-A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied UDP: " --log-level 7 
-A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "Denied ICMP: " --log-level 7 
-A LOGNDROP -j DROP COMMIT 
# Completed on Sun Apr 23 05:32:09 2006

How does it looks for my csp?

[spynappels]

I presume this is a web-server? And the clients will connect to one of two URLs which both resolve to this server's IP?

What is port 15000 for?

The script looks fine to me though, although you could tighten up the outbound rules too if you wanted to, only allowing established and related connections, and enabling outbound connections to be initiated to update servers only etc. However, that is only for really paranoid people!

[Lars Noodén]

If you have a web server running on port 80 (HTTP) then you may also want the option to have it on port 443 (HTTPS), too.