تنظيمات امنيتي Firewall جهت كنترل پنل Kloxo

از راهنمای WIKI پرشین هلپ
پرش به: ناوبری, جستجو

Stop iptables service: /etc/init.d/iptables stop

Disable iptables service: chkconfig iptables off


Copy this code to /etc/init.d/firewall (Reminder: Disable "word wrap" in your text editor. Ex.: nano -w /etc/init.d/firewall)

  1. !/bin/sh
  2. firewall
  3. chkconfig: 3 21 91
  4. description: Starts, stops iptables firewall

case "$1" in start)

  1. Clear rules

iptables -t filter -F iptables -t filter -X echo - Clear rules : [OK]

  1. SSH In

iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT echo - SSH : [OK]

  1. Don't break established connections

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT echo - established connections : [OK]

  1. Block all connections by default

iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP echo - Block all connections : [OK]

  1. SYN-Flood Protection

iptables -N syn-flood iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD: " iptables -A syn-flood -j DROP echo - SYN-Flood Protection : [OK]

  1. Loopback

iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT echo - Loopback : [OK]

  1. ICMP (Ping)

iptables -t filter -A INPUT -p icmp -j ACCEPT iptables -t filter -A OUTPUT -p icmp -j ACCEPT echo - PING : [OK]

  1. DNS In/Out

iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT echo - DNS : [OK]

  1. NTP Out

iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT echo - NTP : [OK]

  1. WHOIS Out

iptables -t filter -A OUTPUT -p tcp --dport 43 -j ACCEPT echo - WHOIS : [OK]

  1. FTP Out

iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT

  1. FTP In

iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 30000:50000 -j ACCEPT iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT echo - FTP : [OK]

  1. HTTP + HTTPS Out

iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

  1. HTTP + HTTPS In

iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT echo - HTTP/HTTPS : [OK]

  1. Mail SMTP:25

iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT echo - SMTP : [OK]

  1. Mail POP3:110

iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT echo - POP : [OK]

  1. Mail IMAP:143

iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT echo - IMAP : [OK]

  1. Kloxo

iptables -t filter -A INPUT -p tcp --dport 7777:7778 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 7777:7778 -j ACCEPT echo - Kloxo : [OK]

echo - Firewall [OK] exit 0

stop) echo "Stopping Firewall... " iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -t filter -F echo "Firewall Stopped!" exit 0

restart) /etc/init.d/firewall stop /etc/init.d/firewall start

  • )

echo "Usage: /etc/init.d/firewall {start|stop|restart}" exit 1

esac


chmod 700 /etc/init.d/firewall

add firewall service: chkconfig --add firewall

auto start firewall: chkconfig --level 2345 firewall on

start firewall: /etc/init.d/firewall start


If you have slave server, add this on the master

iptables -t filter -A INPUT -p tcp -s SLAVE_IP --dport 7779 -j ACCEPT iptables -t filter -A OUTPUT -p tcp -d SLAVE_IP --dport 7779 -j ACCEPT

Note: replace SLAVE_IP with your Slave server IP.

Add this on slave server

iptables -t filter -A INPUT -p tcp -s MASTER_IP --dport 7779 -j ACCEPT iptables -t filter -A OUTPUT -p tcp -d MASTER_IP --dport 7779 -j ACCEPT

جعبه‌ابزار