Author Topic: Setup IPtables automatically with ehcpforce  (Read 3095 times)

Loren Tedford

  • Jr. Member
  • **
  • Posts: 58
  • I love Amateur Radio, VPS and Minecraft!
    • View Profile
    • Welcome to Lorentedford.com
Setup IPtables automatically with ehcpforce
« on: April 11, 2015, 04:22:29 am »
I think it would be cool if there is away in EHCP that we could have a text editor to automatically setup IP tables an example would be... I am horrible at writing code or anything is this possible could some thing like this be done to allow easier use to iptables and adjusting the ports as needed on the main primary account...

Example is for Ubuntu/ Debian

sudo nano /etc/iptables.firewall.rules
/etc/iptables.firewall.rules  Inside the nano editor
*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 20 -j ACCEPT
-A INPUT -p udp --dport 20 -j ACCEPT
-A INPUT -p tcp --dport 21 -j ACCEPT
-A INPUT -p udp --dport 21 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p udp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p udp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p udp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p udp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p udp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
-A INPUT -p udp --dport 587 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT
________________________________________________________

After editing the iptables.firewall.rules I thinke it would be cool if EHCPForce would then automatically apply those some thing like this
sudo iptables-restore < /etc/iptables.firewall.rules

then have the ability to see what the output of  sudo iptables -L

Maybe some where have some thing put this in to make it start on update
sudo nano /etc/network/if-pre-up.d/firewall
inside this file would look like..
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

I always do this afterwords i guess i have issues with permissions alot..

sudo chmod +x /etc/network/if-pre-up.d/firewall

« Last Edit: April 11, 2015, 05:09:06 am by Loren Tedford »

earnolmartin

  • Administrator
  • Sr. Member
  • *****
  • Posts: 302
    • View Profile
Re: Setup IPtables automatically with ehcpforce
« Reply #1 on: April 11, 2015, 09:58:25 am »
EHCP Force is not a firewall.  It already installs Fail2Ban along with Apache2 security modules designed to help against attacks against the web server.  This is really all that needs to be done in my opinion.

Loren Tedford

  • Jr. Member
  • **
  • Posts: 58
  • I love Amateur Radio, VPS and Minecraft!
    • View Profile
    • Welcome to Lorentedford.com
Re: Setup IPtables automatically with ehcpforce
« Reply #2 on: April 11, 2015, 02:22:10 pm »
Ok thanks I just thought it would be kinda user friendly to have this with in the EHCP panel if could have been done understand

earnolmartin

  • Administrator
  • Sr. Member
  • *****
  • Posts: 302
    • View Profile
Re: Setup IPtables automatically with ehcpforce
« Reply #3 on: April 11, 2015, 11:01:07 pm »
No problem.

Fail2Ban uses iptables for its banning, so I think you're covered.  ;)