Easy Hosting Control Panel (EHCP) :: Force Edition
EHCP Force Support => Feature Requests => Topic started by: Loren Tedford on April 11, 2015, 04:22:29 am
-
I think it would be cool if there is away in EHCP that we could have a text editor to automatically setup IP tables an example would be... I am horrible at writing code or anything is this possible could some thing like this be done to allow easier use to iptables and adjusting the ports as needed on the main primary account...
Example is for Ubuntu/ Debian
sudo nano /etc/iptables.firewall.rules
/etc/iptables.firewall.rules Inside the nano editor
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 20 -j ACCEPT
-A INPUT -p udp --dport 20 -j ACCEPT
-A INPUT -p tcp --dport 21 -j ACCEPT
-A INPUT -p udp --dport 21 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p udp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p udp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p udp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p udp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p udp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
-A INPUT -p udp --dport 587 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
________________________________________________________
After editing the iptables.firewall.rules I thinke it would be cool if EHCPForce would then automatically apply those some thing like this
sudo iptables-restore < /etc/iptables.firewall.rules
then have the ability to see what the output of sudo iptables -L
Maybe some where have some thing put this in to make it start on update
sudo nano /etc/network/if-pre-up.d/firewall
inside this file would look like..
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules
I always do this afterwords i guess i have issues with permissions alot..
sudo chmod +x /etc/network/if-pre-up.d/firewall
-
EHCP Force is not a firewall. It already installs Fail2Ban along with Apache2 security modules designed to help against attacks against the web server. This is really all that needs to be done in my opinion.
-
Ok thanks I just thought it would be kinda user friendly to have this with in the EHCP panel if could have been done understand
-
No problem.
Fail2Ban uses iptables for its banning, so I think you're covered. ;)