Sekedar Documentasi untuk Pelupa

Firewall Untuk Web Server Ubuntu IPTABLES

0 komentar
Berikut Firewall untuk web server dan database sederhana tapi secure.

Langsung aj copy script berikut
#### IPTABLES V1.1 by ariecc 21-03-2012 ####
#!/bin/sh
IPT=/sbin/iptables

### Port Standar ###
### Add Number If Want to Allow ###
REG_PORTS="22,110,443,995,587,143,3306"

$IPT -F

### Policies (Aturan Default)
## DROP ALL Conecction in INPUT FORWARD OUTPUT
$IPT -P OUTPUT DROP
$IPT -P INPUT DROP
$IPT -P FORWARD DROP

# NEW CHAIN to Block Port Scanner dan Paket Tak Beraturan
$IPT -N MY_DROP
$IPT -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP"
$IPT -A MY_DROP -j DROP
$IPT -N LOGGING

# Allow Respone
$IPT -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

### Input Chain

## Allow From Loopback
$IPT -A INPUT -i lo -j ACCEPT
## Prevent DOS Attack | Monitored
$IPT -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

## Improve v1.1
$IPT -A INPUT -p tcp -m multiport --dports $REG_PORTS  -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dports $REG_PORTS  -j ACCEPT
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
$IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
$IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
$IPT -A INPUT -j LOGGING
$IPT -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "INPUT|Packet Dropped: " --log-level 7
$IPT -A LOGGING -j DROP

### Forward Chain
## Accept ESTABLISHED,RELATED
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

## Prevent DOS Attack | Monitored
$IPT -A FORWARD -p udp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

## Improve v1.1
$IPT -A FORWARD -p tcp -m multiport --dports $REG_PORTS -j ACCEPT
$IPT -A FORWARD -p udp -m multiport --dports $REG_PORTS -j ACCEPT
# Allow DNS
$IPT -A FORWARD -p tcp --dport 53 -j ACCEPT
$IPT -A FORWARD -p udp --dport 53 -j ACCEPT
$IPT -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP
$IPT -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
$IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
$IPT -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
$IPT -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
$IPT -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
$IPT -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP
$IPT -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT

### Output Chain
## Accept ESTABLISHED,RELATED
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

## Allow to Chain Output
$IPT -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
## Allow Server to DNS Server
$IPT -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -j ACCEPT
# Allow Port Tertentu dan PING
$IPT -A OUTPUT -p tcp -m multiport --sports $REG_PORTS -j ACCEPT
$IPT -A OUTPUT -p udp -m multiport --sports $REG_PORTS -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

Simpan dengan file .sh dan set permisionnya
nano myfw.sh
chmod 755 myfw.sh

Agar dapat berjalan setiap kali booting
nano /etc/rc.local
sh /root/myfw.sh

More