DX NetOps

Hello,

I need to protect the Linux servers for performance management with iptables for a customer. I've also managed to do that right down to the Performance Center.

Unfortunately I do not get it, that after the activation of iptables the access by HTTP / HTTPS on the servers functions.

Has anyone already hedged the servers with iptables? And can help me?

thank you

My config is

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8182 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8382 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

#Data Aggregator
-A INPUT -p tcp -s 192.168.0.26 -d  192.168.0.4 --sport 513:65535 --dport  8381 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -s 192.168.0.26 -d  192.168.0.4 --sport 513:65535 --dport  8581 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -s 192.168.0.4 -d  192.168.0.26 --sport 513:65535 --dport 8381 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -s 192.168.0.4 -d  192.168.0.26 --sport 513:65535 --dport 8581 -m state --state NEW,ESTABLISHED -j ACCEPT

# DNS , NTP Server, SNMP
-A OUTPUT -p udp --sport 1024:65535 --dport 53 -d 10.30.0.34 -j ACCEPT
-A OUTPUT -p udp --sport 123 --dport 123 -d 10.2.10.10 -j ACCEPT
-I INPUT -p udp -m udp -s 192.168.0.36 -d  192.168.0.4 --dport 161 -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -s 192.168.0.36 --j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-reply  -s 192.168.0.36 --j ACCEPT

thanks for help

Andreas Burger

Hello Andreas,

My apologies but I'm a small bit confused by this request. Based on your configuration posted above it appears you've properly configured iptables to allow access via the ports defined.

It looks like your config is properly allowing HTTP and HTTPS traffic through the usual 443, 8182 and 8382 ports.

What is the goal of this effort? What protocols and traffic are meant to be blocked here?

If we're attempting to block systems vs. protocols an ACL in the network might be a better solution.

Thanks,

Mike

Hi Mike,

The goal is the customer request an external firewall and also the server directly to control the access.
I found the problem. I have added some lines:

-A OUTPUT -s 192.168.0.4 -d 192.168.0.4 -j APPENDICES
-A INPUT -s 192.168.0.4 -d 192.168.0.4 -j APPENDICES

192.168.0.4 is the server's own IP address

The main problem, however, is that the command "service iptables restart" does not seem to function quite clean. After I have done the restart with start and stop it worked at once :-)

Thanks for your help

Andreas