Basic Slicehost Slice Setup Part 2 - Configure iptables

This is part two of our series on configuring a Slicehost slice.

Step Two – Configure iptables

Backup present rules

iptables-save > /etc/iptables.up.rules

Create Filter

Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn’t use lo0sudo iptables -A INPUT -i lo -j ACCEPT

sudo iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT

Accepts all established inbound connections

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allows all outbound traffic

sudo iptables -A OUTPUT -j ACCEPT

Allows HTTP and HTTPS connections from anywhere

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Allows SSH connections (on port 1999)

sudo iptables -A INPUT -p tcp -m state --state NEW --dport 1999 -j ACCEPT

Allow ping

sudo iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

Log iptables denied calls

sudo iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

Reject all other inbound - default deny unless explicitly allowed policy

sudo iptables -A INPUT -j DROP

sudo iptables -A FORWARD -j DROP

Save Rules

sudo iptables-save > /etc/iptables.up.rules

Configure Network to Load Rules Automatically

Edit network interface to load rules automatically

sudo nano /etc/network/interfaces

Add pre-up iptables-restore < /etc/iptables.up.rules after iface lo inet loopback

Part 3

Tomorrow, we look at installing OpenSSH. Don’t forget to read the first post if you missed it.

Basic Slicehost Slice Setup Series List:

Trackback link - http://www.dailycupoftech.com/2009/02/19/basic-slicehost-slice-setup-part-2-configure-iptables/trackback/

Daily Cup of Tech

Bean There, Done Tech