Firewall - Script

[iptrust]

Hi,

1/ I have write an iptable sh script.
How can i do for the systeme automaticly execute this script on reboot

2/ Is there any firewall modul for DA?

 

[justahost]

Why don't you try APF and BFD?
APF is the firewall part and BFD is a brute force detection tool and they work well together.

If you do a search you will find out how to get APF in and running.

Cheers
Ry

 

[chatwizrd]

You can put the script in a file called rc.local.

This file should be in the /etc folder.

If you do not see /etc/rc.local you can do the following:

touch /etc/rc.d/init.d/rc.local
ln -s /etc/rc.d/init.d/rc.local /etc/rc.local

Then just put the path to your script in the /etc/rc.local file.

Should look something like this on a single line.

/path/to/iptables.sh

Make sure the script is executable and you should have no problems.

 

[JohnBB]

Can anyone be so very kind to post a list of ports to be opened in DirectAdmin -- if possible just a copy of the conf.apf

IG_TCP_CPORTS="21,22,25, 2222, ???" ---
IG_UDP_CPORTS="20,21,53, ????" --- EG_TCP_CPORTS="21,22,25,80, ????" --- EG_UDP_CPORTS="20,21, ????"

 

[chatwizrd]

http://help.directadmin.com/item.php?id=71

All ports are tcp except 53 which is udp.

 

[iptrust]

no rc.d folder !
How to do ?


For information my file (firewall.sh) is :

iptables -F
PATH=/sbin:/bin:/usr/bin:/usr/sbin
/sbin/modprobe ip_conntrack_ftp ports=21,6438

# default policy : DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

# on accepte les paquets relatifs aux connexions deja ouvertes
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# accepte tout ce qui concerne l'interface loopback
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT

# accepte tout ce qui provient de l'adresse xx.xx.xx.xx
#iptables -A INPUT -i eth0 -s xx.xx.xx.xx -j ACCEPT

iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 2222 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT

# autoriser les requetes DNS, FTP, HTTP (pour les mises a jour)
iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT

 

[xemaps]

you can place script call in file /etc/rc.d/rc.local

 

[iptrust]

no rc.d in etc folder !

 

[chatwizrd]

no rc.d in etc folder !

You sure your os is linux then?

What is the output of:

uname -s

 

[iptrust]

Linux dear friend.

--> (Debian)

 

[chatwizrd]

Linux dear friend.

--> (Debian)

Debian may be different. Because I have never used debian I am unsure of its setup.

 

[nobaloney]

Debian is different. But it should have an rc.local script somewhere (locate is your friend). rc.local does the same thing autoexec.bat does on your M$ machine.

Just for the record, though, we recommend KISS and APF+BFD.

Jeff

 

[chatwizrd]

Well I guess if that is the case then I would just use

find / -name rc.local

 

[nobaloney]

Or locate rc.local which simply checks a database and should run more quickly.

Jeff