Hallo zusammen,
Da ich mich von Plesk verabschiedet habe, bin ich hier auf das tolle IMSCP gestoßen und bin gerade diesen auzuprobieren.
Meine Frage: Kann man auch die Firewall des Server damit verwalten?
Firewall verwalten mit I-MSCP
- Skayritarai
- Closed
- Thread is marked as Resolved.
-
Hello ;
There is not firewall module ATM in i-MSCP. You can always manage it using your own interface or with iptables direcetly.
-
-
Display More
Hallo zusammen,
Da ich mich von Plesk verabschiedet habe, bin ich hier auf das tolle IMSCP gestoßen und bin gerade diesen auzuprobieren.
Meine Frage: Kann man auch die Firewall des Server damit verwalten?
I am currently using the following iptables rules. It all seems to be working so far but could be improved. May be a good starting point for you.POP3 - Allow pop3 access for both SSL and plain authentication (working)
iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPTIMAP - Allow imap access for SSL and plain authentication (working)
iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPTSMTP MAIL SUBMISSION EG FROM EMAIL CLIENT - CONFIRMED AND WORKING
iptables -A INPUT -i eth0 -p tcp --dport 587 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 587 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 587 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 587 -m state --state NEW,ESTABLISHED -j ACCEPTSMTP MAIL SERVER TO MAIL SERVER - CONFIRMED AND WORKING
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPTSMTP TLS - CONFIRMED AND WORKING
iptables -A INPUT -i eth0 -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPTSSHD - Allow outside ssh connections (working)
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPTIMSCP NGINX - Allow outside control panel http connections to nginx (working)
iptables -A INPUT -i eth0 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPTIMSCP NGINX SSL - Allow outside control panel https connections to nginx (working)
iptables -A INPUT -i eth0 -p tcp --dport 4443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 4443 -m state --state ESTABLISHED -j ACCEPTHTTP - Allow outside http connections (working)
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPTHTTPS - Allow outside https connections (working)
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPTFTP - Allows both active & passive connections with or without SSL (needs further testing as ip_conntrack does not work with SSL)
ftp passive ports need to be edited. Need to make listener that does this
Requires
ip_conntrack
ip_conntrack_ftp
to be added to /etc/modulesiptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 49152:65534 --sport 49152:65534 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 49152:65534 --sport 49152:65534 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTDNS - To allow lookup from outside in and inside out for both TCP & UDP protocols (Tested and seems to be working correctly)
iptables -A INPUT -i eth0 -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPTMYSQL - Allows outside connections to mysql server (needs to be tested)
iptables -A INPUT -i eth0 -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPTPINGING - Allows outside to inside and inside to outside ping requests (working)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPTLOOPBACK INTERFACE - Allow no restrictions for 127.0.0.1
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPTALLOWING SERVER TO CONNECT TO INTERNET - NEEDS IMPROVING
iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT -
What about adding "-m owner --uid-owner postfix" to your smtp-firewalling? It prevents anybody (scripts for example and even root) but postfix to send mails?
-
-
What about adding "-m owner --uid-owner postfix" to your smtp-firewalling? It prevents anybody (scripts for example and even root) but postfix to send mails?
I didn't even know that feature existed. Thanks for the tip
-
-
Wird wohl erst ab der 2.x.x kommen^^
-