Quote:
Originally Posted by El Diablo War3Evo
I found this solution to be best the best for all website setups.
Here is an example of my iptables for the webserver:
|
Website setups?
A few comments to that "website setup":
Quote:
Originally Posted by El Diablo War3Evo
Code:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
|
Per default, you are dropping all incoming (INPUT) and all forwarding (FORWARD)..
But all outgoing traffic (OUTPUT) is accepted.
Quote:
Originally Posted by El Diablo War3Evo
Code:
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
|
Since there is a default rule of the OUTPUT chain to accept all outgoing traffic, why would anyone need to tell the firewall
a second time to accept outgoing traffic?
Quote:
Originally Posted by El Diablo War3Evo
Code:
# Allows STMP
-A INPUT -p tcp --dport 25 -j ACCEPT
|
On your post above, you said "website setups", which makes me curious - why would you accept port 25 on the INPUT chain?
Port 25 is not used unless the server handles incoming SMTP traffic such as by being a mail server for one or some domains (via MX records).
If the server is ONLY handling outgoing emails (e.g. forums, and such), and not as a mail server (MX records) of a domain, then it does not need port 25 on the INPUT chain at all.
Quote:
Originally Posted by El Diablo War3Evo
Code:
# MySql Server
-A INPUT -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
|
With the above rules, the firewall is already being told twice that ALL outgoing traffic is acceptable.
Is there any specific reason why you would like to tell the firewall the same thing three times?
__________________