Greetings,

Seeking suggestions on iptables config for a server machine that has triple roles, characteristics of which are the followings:

QUESTION:
Does anyone have an idea as to achieving the above proposed solution without locking ourselves out, and can iptables achieve this solution at all?


A. CASE

Foremost:

i. 58.xx.xx.xx is the main server machine in question
ii. 58.xx.xx.xy is the sister server machine
iii. 216.xx.xx.xx is an administrator’s workstation for remote access
iv. 140.xx.xx.xx is an administrator’s workstation for remote access
v. 58.xx.xx.xz is an administrator’s workstation for remote access
vi. 69.xx.xx.xx is the server of provider A
vii. 215.xx.xx.xx is the server of provider B

1. Webserver
Must allow site surfers to come in through port 80

2. Application Server
Subscribers will maintain permanent connections to services running on the server. These connections can be considered secured since the clients do not run “computer” operating systems.

3. Apache Server
Administrators of the system will connect to the application server remotely to configure services through secured web consoles at port 80XXX. They will also use SSH which is running on port 222XXX

4. Sister (adjacent) servers
There are a few trusted servers running on separate machines (vendor’s servers, and our servers) that must maintain a dynamic connections with our server


B. REQUIREMENT

1. Server 58.22.xx.xy must maintain a permanent connection with the main server

2. Only 216.xx.xx.xx and 140.xx.xx.xx and 58.xx.xx.xz are allowed to establish remote console connection with .

3. Only 216.xx.xx.xx and 140.xx.xx.xx and 58.xx.xx.xz are allowed to establish SSH to the server.

4. Allow accept to port 80 for all users

5. Server 69.22.xx.xx, a provider server, must maintain a permanent connection with the server

6. Server 215.xx.xx.xx, a provider server, must maintain a permanent connection with the server


#******************************************************************************#
# IPTABLE RULE SETS #
#******************************************************************************#
# AS OF 07/10/06 #
# #
#
#
#1. ALLOW REQUESTS FORM SISTER SERVER ON PORTS 50XX AND 17XX
Iptables –A INPUT –s 58.22.xx.xy –dport 50XX –j ACCEPT
Iptables –A INPUT –s 58.22.xx.xy –dport 17XX –j ACCEPT

#2.ALLOW REQUESTS FOR THESE IP's ONLY FOR SSH CONNECTIONS ON PORT 22290 #
iptables -A INPUT -s !216.xx.xx.xx/24 --dport 222xxx -j DENY
iptables -A INPUT -s !140.xx.xx.xx/24 --dport 222xxx -j DENY
iptables -A INPUT -s !58.xx.xx.xx/24 --dport 222xxx -j DENY

#3.ALLOW REQUESTS FOR THESE SOURCES ONLY FOR WEB CONSOLE ON PORT 80XXX#
iptables -A INPUT -s !216.xx.xx.xx/24 --dport 80xxx -j DENY
iptables -A INPUT -s !140.xx.xx.xx/24 --dport 80xxx -j DENY
iptables -A INPUT -s !58.xx.xx.xx/24 --dport 80xxx -j DENY

#4. REJECT ALL OTHER REQUESTS THAT ARE NOT DESTINED FOR PORT 80 #
Iptables –A INPUT –s 0/0 –dport ! 80 DENY
#5. ACCEPT CONNECTIONS WITH PROVIDER A
iptables -A INPUT -s 69.xx.xx.xx -d 58.22.xx.xx -j ACCEPT

#6. ACCEPT CONNECTIONS WITH PROVIDER B
iptables -A INPUT -s 216.xx.xx.xx -d 58.22.xx.xx -j ACCEPT

#7. REJECT EXPLICITLY THE FOLLOWING DESTINATION PORTS #
iptables -A INPUT -p tcp --destination-port 111 -j DENY
iptables -A INPUT -p UDP --destination-port 111 -j DENY
iptables -A INPUT -p tcp --destination-port 82 -j DENY
iptables -A INPUT -p tcp --destination-port 2000 -j DENY
iptables -A INPUT -p tcp --destination-port 7000 -j DENY
iptables -A INPUT -p tcp --destination-port 8104 -j DENY
iptables -A INPUT -p tcp --destination-port 8106 -j DENY
iptables -A INPUT -p tcp --destination-port 32768 -j DENY
iptables -A INPUT -p tcp --destination-port 32778 -j DENY
iptables -A INPUT -p tcp --destination-port 7004 -j DENY
iptables -A INPUT -p tcp --destination-port 7008 -j DENY
iptables -A INPUT -p tcp --destination-port 7010 -j DENY
iptables -A INPUT -p tcp --destination-port 8080 -j DENY
iptables -A INPUT -p tcp --destination-port 8081 -j DENY


#8. REJECT THE FOLLOWING EXPLICIT SOURCE IP'S #
iptables -A INPUT -s 64.231.140.0/16 -j DENY
iptables -A INPUT -s 65.113.0.0/16 -j DENY
iptables -A INPUT -s 65.119.0.0/16 -j DENY
iptables -A INPUT -s 213.91.247.0/16 -j DENY
iptables -A INPUT -s 216.31.243.0/16 -j DENY
iptables -A INPUT -s 200.82.136.0/24 -j DENY #
iptables -A INPUT -s 219.13.51.0/24 -j DENY #
iptables -A INPUT -s 196.252.89.0/24 -j DENY #
iptables -A INPUT -s 201.87.61.0/24 -j DENY #

############################################################################### #

One of the easiest tools to use is Firehol (firehol.sourceforge.net). It is simply a script that does all the dirty work with iptables, so all you have to do is enter your rules in a firehol configuration file, and then add the Firehol script to your default runlevel.

I have used it, and all I can say is it saves you a lot of time!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.