[ Team LiB ] Previous Section Next Section

Recipe 2.14 Protecting a Dedicated Server

2.14.1 Problem

You want to run a specific set of services on your machine, accessible to the outside world. All other services should be rejected and logged. Internally, however, local users can access all services.

2.14.2 Solution

Suppose your services are www, ssh, and smtp.

For iptables :

# iptables -F INPUT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m multiport -p tcp --dport www,ssh,smtp -j ACCEPT
# iptables -A INPUT -j LOG -m limit
# iptables -A INPUT -j REJECT

For ipchains:

# ipchains -F input
# ipchains -A input -i lo -j ACCEPT
# ipchains -A input -p tcp --dport www -j ACCEPT
# ipchains -A input -p tcp --dport ssh -j ACCEPT
# ipchains -A input -p tcp --dport smtp -j ACCEPT
# ipchains -A input -l -j REJECT

2.14.3 Discussion

Local connections from your own host arrive via the loopback interface.

2.14.4 See Also

iptables(8), ipchains(8).
    [ Team LiB ] Previous Section Next Section