Berikut Firewall untuk web server dan database sederhana tapi secure.
Langsung aj copy script berikut
Simpan dengan file .sh dan set permisionnya
Agar dapat berjalan setiap kali booting
More
Langsung aj copy script berikut
#### IPTABLES V1.1 by ariecc 21-03-2012 #### #!/bin/sh IPT=/sbin/iptables ### Port Standar ### ### Add Number If Want to Allow ### REG_PORTS="22,110,443,995,587,143,3306" $IPT -F ### Policies (Aturan Default) ## DROP ALL Conecction in INPUT FORWARD OUTPUT $IPT -P OUTPUT DROP $IPT -P INPUT DROP $IPT -P FORWARD DROP # NEW CHAIN to Block Port Scanner dan Paket Tak Beraturan $IPT -N MY_DROP $IPT -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP" $IPT -A MY_DROP -j DROP $IPT -N LOGGING # Allow Respone $IPT -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ### Input Chain ## Allow From Loopback $IPT -A INPUT -i lo -j ACCEPT ## Prevent DOS Attack | Monitored $IPT -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT ## Improve v1.1 $IPT -A INPUT -p tcp -m multiport --dports $REG_PORTS -j ACCEPT $IPT -A INPUT -p udp -m multiport --dports $REG_PORTS -j ACCEPT $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP $IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP $IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP $IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP $IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP $IPT -A INPUT -j LOGGING $IPT -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "INPUT|Packet Dropped: " --log-level 7 $IPT -A LOGGING -j DROP ### Forward Chain ## Accept ESTABLISHED,RELATED $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ## Prevent DOS Attack | Monitored $IPT -A FORWARD -p udp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT ## Improve v1.1 $IPT -A FORWARD -p tcp -m multiport --dports $REG_PORTS -j ACCEPT $IPT -A FORWARD -p udp -m multiport --dports $REG_PORTS -j ACCEPT # Allow DNS $IPT -A FORWARD -p tcp --dport 53 -j ACCEPT $IPT -A FORWARD -p udp --dport 53 -j ACCEPT $IPT -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP $IPT -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP $IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP $IPT -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP $IPT -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP $IPT -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP $IPT -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP $IPT -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT ### Output Chain ## Accept ESTABLISHED,RELATED $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT ## Allow to Chain Output $IPT -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT ## Allow Server to DNS Server $IPT -A OUTPUT -p tcp --dport 53 -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -j ACCEPT # Allow Port Tertentu dan PING $IPT -A OUTPUT -p tcp -m multiport --sports $REG_PORTS -j ACCEPT $IPT -A OUTPUT -p udp -m multiport --sports $REG_PORTS -j ACCEPT $IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
Simpan dengan file .sh dan set permisionnya
nano myfw.sh chmod 755 myfw.sh
Agar dapat berjalan setiap kali booting
nano /etc/rc.local sh /root/myfw.sh