imscp iptables template

    hi
    im wondering if any one has or can save out a solid iptables template that suits imscp. i would like to have and use it as a base for me to build on?




    thank you :)

    Here you go:


    Keep in mind, you need shorewall6 for ipv6 traffic / ip6tables.



    shorewall.conf:
    Mostly standard config, except "ADMINISABSENTMINDED" activated (see file routestopped), "ACCOUNTING" is deactivated (imscp does it already), "IP_FORWARDING" activated (for ssh forwarding and vpn)

    Code
    1. ################################################################################# Shorewall Version 4 -- /etc/shorewall/shorewall.conf## For information about the settings in this file, type "man shorewall.conf"## Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html################################################################################ S T A R T U P E N A B L E D###############################################################################STARTUP_ENABLED=Yes################################################################################ V E R B O S I T Y###############################################################################VERBOSITY=1################################################################################ L O G G I N G###############################################################################LOGFILE=/var/log/messagesSTARTUP_LOG=/var/log/shorewall-init.logLOG_VERBOSITY=2LOGFORMAT="Shorewall:%s:%s:"LOGTAGONLY=NoLOGRATE=LOGBURST=LOGALLNEW=BLACKLIST_LOGLEVEL=MACLIST_LOG_LEVEL=infoTCP_FLAGS_LOG_LEVEL=infoSMURF_LOG_LEVEL=infoLOG_MARTIANS=Yes################################################################################ L O C A T I O N O F F I L E S A N D D I R E C T O R I E S###############################################################################IPTABLES=IP=TC=IPSET=PERL=/usr/bin/perlPATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbinSHOREWALL_SHELL=/bin/shSUBSYSLOCK=""MODULESDIR=CONFIG_PATH=/etc/shorewall:/usr/share/shorewallRESTOREFILE=IPSECFILE=zonesLOCKFILE=################################################################################ D E F A U L T A C T I O N S / M A C R O S###############################################################################DROP_DEFAULT="Drop"REJECT_DEFAULT="Reject"ACCEPT_DEFAULT="none"QUEUE_DEFAULT="none"NFQUEUE_DEFAULT="none"################################################################################ R S H / R C P C O M M A N D S###############################################################################RSH_COMMAND='ssh ${root}@${system} ${command}'RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'################################################################################ F I R E W A L L O P T I O N S###############################################################################IP_FORWARDING=OnADD_IP_ALIASES=NoADD_SNAT_ALIASES=NoRETAIN_ALIASES=NoTC_ENABLED=InternalTC_EXPERT=NoTC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"CLEAR_TC=YesMARK_IN_FORWARD_CHAIN=NoCLAMPMSS=NoROUTE_FILTER=YesDETECT_DNAT_IPADDRS=NoMUTEX_TIMEOUT=60ADMINISABSENTMINDED=YesBLACKLISTNEWONLY=YesDELAYBLACKLISTLOAD=NoMODULE_SUFFIX=koDISABLE_IPV6=NoBRIDGING=NoDYNAMIC_ZONES=NoPKTTYPE=YesNULL_ROUTE_RFC1918=NoMACLIST_TABLE=filterMACLIST_TTL=SAVE_IPSETS=NoMAPOLDACTIONS=NoFASTACCEPT=NoIMPLICIT_CONTINUE=NoHIGH_ROUTE_MARKS=NoUSE_ACTIONS=YesOPTIMIZE=0EXPORTPARAMS=YesEXPAND_POLICIES=YesKEEP_RT_TABLES=NoDELETE_THEN_ADD=YesMULTICAST=NoDONT_LOAD=AUTO_COMMENT=YesMANGLE_ENABLED=YesUSE_DEFAULT_RT=NoRESTORE_DEFAULT_ROUTE=YesAUTOMAKE=NoWIDE_TC_MARKS=NoTRACK_PROVIDERS=NoZONE2ZONE=2ACCOUNTING=NoDYNAMIC_BLACKLIST=YesOPTIMIZE_ACCOUNTING=NoLOAD_HELPERS_ONLY=NoREQUIRE_INTERFACE=NoFORWARD_CLEAR_MARK=YesSMURF_DISPOSITION=DROP################################################################################ P A C K E T D I S P O S I T I O N###############################################################################BLACKLIST_DISPOSITION=DROPMACLIST_DISPOSITION=REJECTTCP_FLAGS_DISPOSITION=DROP#LAST LINE -- DO NOT REMOVE


    zones:
    just ignore the vpn part

    Code
    1. ## Shorewall version 4.0 - Sample Zones File for one-interface configuration.# Copyright (C) 2006 by the Shorewall Team## This library is free software; you can redistribute it and/or# modify it under the terms of the GNU Lesser General Public# License as published by the Free Software Foundation; either# version 2.1 of the License, or (at your option) any later version.## See the file README.txt for further details.#-----------------------------------------------------------------------------# For information about entries in this file, type "man shorewall-zones"################################################################################ZONE TYPE OPTIONS IN OUT# OPTIONS OPTIONSfw firewallnet ipv4vpn ipv4


    interfaces:

    Code
    1. ## Shorewall version 4.0 - Sample Interfaces File for one-interface configuration.# Copyright (C) 2006 by the Shorewall Team## This library is free software; you can redistribute it and/or# modify it under the terms of the GNU Lesser General Public# License as published by the Free Software Foundation; either# version 2.1 of the License, or (at your option) any later version.## See the file README.txt for further details.#------------------------------------------------------------------------------# For information about entries in this file, type "man shorewall-interfaces"################################################################################ZONE INTERFACE BROADCAST OPTIONSnet eth0 - logmartians,nosmurfsvpn tun0 detect dhcp,optional- lo - ignore


    policy:

    Code
    1. # For information about entries in this file, type "man shorewall-policy"################################################################################SOURCE DEST POLICY LOG LEVEL LIMIT:BURST$FW net ACCEPT$FW vpn ACCEPTvpn net ACCEPTvpn $FW ACCEPT# The FOLLOWING POLICY MUST BE LASTall all REJECT


    params:
    I once had multiple IPs (each with different open ports) and configured them here

    Code
    1. # file gets executed by shIP_0=myipv4


    rules:
    - in a single ip setup you just need to write $FW instead of $FW:$IP_0
    - standard ports are the imscp services except mysql but includes ssh port 22 and all the SSL ports for mail and http.
    - if your server serves DNS for some domains, open port 53
    - set the proftpd passive ports to what is configured in your proftpd.conf
    - the rules file for ipv6 is really the same but the icmp protocol is named "ipv6-icmp"


    Code
    1. #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK# PORT PORT(S) DEST LIMIT GROUPSECTION ALLSECTION ESTABLISHEDSECTION RELATEDSECTION NEW# all -> all# Policy: rejectACCEPT all all icmp# internet -> server# policy: rejectCOMMENT Standard portsACCEPT net $FW:$IP_0 tcp 21,22,25,80,110,143,443,465,587,993,995#ACCEPT net $FW:$IP_0 tcp,udp 53COMMENT proftpd passive portsACCEPT net $FW:$IP_0 tcp 60000:65535COMMENT ejabberdACCEPT net $FW:$IP_0 tcp 5222,5269,8010COMMENT MinecraftACCEPT net $FW:$IP_0 tcp 25565COMMENT VNCACCEPT net $FW:$IP_0 tcp 5901:5909COMMENT openVPNACCEPT net $FW:$IP_0 tcp,udp 1194


    routestopped:
    if you stop* shorewall/shorewall6, the rules here are activated.
    if you activate ADMINISABSENTMINDED, then open connections stay active, otherwise they would be cut off. The server can also make new connections to the internet.

    Code
    1. #INTERFACE HOST(S) OPTIONS PROTO DEST SOURCE
    2. # PORT(S) PORT(S)
    3. eth0 - source,dest,notrack tcp 22


    * stopping shorewall means stopping all the traffic from/to the server. It's somehow an emergency brake. But be aware, this does not help against UDP DDOS attacks.



    Hope it helps ;)