June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
2.14. Protecting a Dedicated Server
Problem
You want to run a specific set of services on your machine, accessible to the outside world. All other services should be rejected and logged. Internally, however, local users can access all services.
Solution
Suppose your services are www, ssh, and smtp.
For
iptables
:
# iptables -F INPUT # iptables -A INPUT -i lo -j ACCEPT # iptables -A INPUT -m multiport -p tcp --dport www,ssh,smtp -j ACCEPT # iptables -A INPUT -j LOG -m limit # iptables -A INPUT -j REJECT
For ipchains:
# ipchains -F input # ipchains -A input -i lo -j ACCEPT # ipchains -A input -p tcp --dport www -j ACCEPT # ipchains -A input -p tcp --dport ssh -j ACCEPT # ipchains -A input -p tcp --dport smtp -j ACCEPT # ipchains -A input -l -j REJECT
Discussion
Local connections from your own host arrive via the loopback interface.
See Also
iptables(8), ipchains(8).