2.14. Protecting a Dedicated Server
Problem
You want to run a specific set of services on your machine, accessible to the outside world. All other services should be rejected and logged. Internally, however, local users can access all services.
Solution
Suppose your services are www, ssh, and smtp.
For
iptables
:
# iptables -F INPUT # iptables -A INPUT -i lo -j ACCEPT # iptables -A INPUT -m multiport -p tcp --dport www,ssh,smtp -j ACCEPT # iptables -A INPUT -j LOG -m limit # iptables -A INPUT -j REJECT
For ipchains
:
# ipchains -F input # ipchains -A input -i lo -j ACCEPT # ipchains -A input -p tcp --dport www -j ACCEPT # ipchains -A input -p tcp --dport ssh -j ACCEPT # ipchains -A input -p tcp --dport smtp -j ACCEPT # ipchains -A input -l -j REJECT
Discussion
Local connections from your own host arrive via the loopback interface.
See Also
iptables(8), ipchains(8).
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.