Archive for the tag 'Rules'

How to Inspect and Activate Default Rules

View the currently-enforced iptables rules by running the command:

# iptables -nL –line-numbers

The command is analogous for the ip6tables program.

If the firewall does not appear to be active (i.e., no rules appear), activate it and ensure that it starts at boot by issuing the following commands (and analogously for ip6tables):

# service iptables restart
# chkconfig iptables on
SBDavid

SpamAssassin Rules Updates

SpamAssassin Rules Updates

This feature defines how you would like to update SpamAssassin rules.

Automatic — Automatically update SpamAssassin rules whenever /usr/local/cpanel/scripts/upcp runs.

Manual Updates Only — Requires you to manually run /usr/local/cpanel/scripts/upcp to update SpamAssassin rules.

NEVER Update — SpamAssassin rules do not update when /usr/local/cpanel/scripts/upcp runs.

Predefined Firewall Rules Specifications in Plesk Panel

The following table lists the system services to which you can restrict access using the Firewall’s predefined rules.

Parallels Plesk Panel administrative interface TCP 8443

Samba (file sharing on Windows networks) UDP 137, UDP 138, TCP 139, TCP 445

Parallels Plesk Panel VPN UDP 1194

WWW server TCP 80, TCP 443

FTP server TCP 21

SSH (secure shell) server TCP 22

SMTP (mail sending) server TCP 25, TCP 465

POP3 (mail retrieval) server TCP 110, TCP 995

IMAP (mail retrieval) server TCP 143, TCP 993

Mail password change service TCP 106

MySQL server TCP 3306

PostgreSQL server TCP 5432

Tomcat administrative interface TCP 9008, TCP 9080

Domain name server UDP 53, TCP 53

There are some trojans that scan networks for services on ports from 31337 to 31340.

Since there are no legitimate services that communicate via these non-standard ports, blocking it can effectively diminish the chances that potentially infected nodes on your network independently communicate with their remote master servers.

iptables -A OUTPUT -o eth0 -p tcp –dport 31337 –sport 31337 -j DROP
iptables -A FORWARD -o eth0 -p tcp –dport 31337 –sport 31337 -j DROP

You can also block outside connections that attempt to spoof private IP address ranges to infiltrate your LAN. For example, if your LAN uses the 192.168.1.0/24 range, a rule can set the Internet facing network device (for example, eth0) to drop any packets to that device with an address in your LAN IP range. Because it is recommended to reject forwarded packets as a default policy, any other spoofed IP address to the external-facing device (eth0) is rejected automatically.

iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP

The REJECT target denies access and returns a connection refused error to users who attempt to connect to the service. The DROP target, as the name implies, drops the packet without any warning.

FORWARD and NAT Rules for nodes behind the firewall/gateway.

iptables provides routing and forwarding policies. The FORWARD policy allows an administrator to control where packets can be routed within a LAN. For example, to allow forwarding for the entire LAN (assuming the firewall/gateway is assigned an internal IP address on eth1), the following rules can be set:

iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT

This rule gives systems behind the firewall/gateway access to the internal network. The gateway routes packets from one LAN node to its intended destination node, passing all packets through its eth1 device.

To enable IP forwarding, run the following command:

sysctl -w net.ipv4.ip_forward=1

You can permanently set forwarding by editing the /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Execute the following command to enable the change to the sysctl.conf file:

sysctl -p /etc/sysctl.conf

To allow LAN nodes with private IP addresses to communicate with external public networks, configure the firewall for IP masquerading, which masks requests from LAN nodes with the IP address of the firewall’s external device (in this case, eth0):

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The rule uses the NAT packet matching table (-t nat) and specifies the built-in POSTROUTING chain for NAT (-A POSTROUTING) on the firewall’s external networking device (-o eth0).

POSTROUTING allows packets to be altered as they are leaving the firewall’s external device. The -j MASQUERADE target is specified to mask the private IP address of a node with the external IP address of the firewall/gateway.

If you wanted to forward incoming HTTP requests to your dedicated Apache HTTP Server server system at 192.168.0.10, run the following command:

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to 192.168.0.10:80

This rule specifies that the NAT table use the built-in PREROUTING chain to forward incoming HTTP requests exclusively to the listed destination IP address of 192.168.0.10

This rule allows forwarding of incoming HTTP requests from the firewall to its intended destination of the Apache HTTP Server server behind the firewall.

iptables -A FORWARD -i eth0 -p tcp –dport 80 -d 192.168.0.10 -j ACCEPT

Next »