Ip-tables als Firewall auf Maschinenebene

Aus Glaskugel
Zur Navigation springen Zur Suche springen

Das Regelwerk kann auf einem CentOS6 oder CentOS7 Server via Script generiert werden.
Das Script ist wie folgt aus unserem hauseigenen "Repo" zu beziehen: wget --user=Shopbenutzer12 --password='9k2aS2s' -P /root/ https://www.estugo.de/files/scripts/iptablesscript

Script umbenennen und ausführbar machen
mv iptablesscript iptablesscript.sh && chmod +x iptablesscript.sh
Script ausführen
./iptablesscript.sh

fertig

folgendes Regelwerk verwenden wir momentan (Stand 18.11.2019)

# Generated by iptables-save v1.4.21 on Wed Oct 23 09:41:57 2019
*nat
:PREROUTING ACCEPT [2152:124701]
:INPUT ACCEPT [1842:104693]
:OUTPUT ACCEPT [5477:335938]
:POSTROUTING ACCEPT [5477:335938]
COMMIT
# Completed on Wed Oct 23 09:41:57 2019
# Generated by iptables-save v1.4.21 on Wed Oct 23 09:41:57 2019
*raw
:PREROUTING ACCEPT [129693:39002264]
:OUTPUT ACCEPT [122067:156550655]
COMMIT
# Completed on Wed Oct 23 09:41:57 2019
# Generated by iptables-save v1.4.21 on Wed Oct 23 09:41:57 2019
*mangle
:PREROUTING ACCEPT [129693:39002264]
:INPUT ACCEPT [129693:39002264]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [122067:156550655]
:POSTROUTING ACCEPT [122067:156550655]
COMMIT
# Completed on Wed Oct 23 09:41:57 2019
# Generated by iptables-save v1.4.21 on Wed Oct 23 09:41:57 2019
*filter
:INPUT DROP [120:6624]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [61788:68401442]
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "Ping-Anfragen erlauben" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "bestehende Verbindungen" -j ACCEPT
-A INPUT -s 127.0.0.1/32 -m comment --comment "localhost" -j ACCEPT
-A INPUT -s 37.218.252.213/32 -m comment --comment "Eigene IP-Adresse" -j ACCEPT
-A INPUT -s 89.22.107.170/32 -p tcp -m tcp --dport 10050 -m comment --comment "Zabbix-Server" -j ACCEPT
-A INPUT -s 37.218.252.210/32 -p tcp -m tcp --dport 10050 -m comment --comment "Zabbix-Server" -j ACCEPT
-A INPUT -s 195.110.43.163/32 -p tcp -m tcp --dport 4949 -m comment --comment "Munin-Server" -j ACCEPT
-A INPUT -s 37.218.252.210/32 -p tcp -m tcp --dport 22 -m comment --comment "MGMT-SSH" -j ACCEPT
-A INPUT -s 37.218.252.71/32 -p tcp -m tcp --dport 22 -m comment --comment "MGMT-SSH" -j ACCEPT
-A INPUT -s 37.218.252.210/32 -p tcp -m multiport --dports 7080,7081 -m comment --comment "MGMT-Apache" -j ACCEPT
-A INPUT -s 37.218.252.210/32 -p tcp -m tcp --dport 8447 -m comment --comment "Plesk-Installer" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 25,465,587,110,995,143,993 -m comment --comment "Mail-Services" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443,8443 -m comment --comment "Web-Services" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 20,21,989,990,50000:50100 -m comment --comment "FTP-Services" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -m comment --comment "MySQL extern" -j ACCEPT
COMMIT
# Completed on Wed Oct 23 09:41:57 2019

Abgerufen von „https://wissen.hostingprimus.com/index.php?title=Ip-tables_als_Firewall_auf_Maschinenebene&oldid=1192