Stop iptables service:
/etc/init.d/iptables stop
==============================
Copy this code to /etc/init.d/firewall (Reminder: Disable “word wrap” in your text editor. Ex.: nano -w /etc/init.d/firewall)
#!/bin/sh
# firewall
# chkconfig: 3 21 91
# description: Starts, stops iptables firewall
case “$1″ in
start)
# Clear rules
iptables -t filter -F
iptables -t filter -X
echo – Clear rules : [OK]
# SSH In
iptables -t filter -A INPUT -p tcp –dport 22 -j ACCEPT
echo – SSH : [OK]
# Don’t break established connections
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
echo – established connections : [OK]
# Block all connections by default
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
echo – Block all connections : [OK]
# Loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo – Loopback : [OK]
# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
echo – PING : [OK]
# DNS In/Out
iptables -t filter -A OUTPUT -p tcp –dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp –dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp –dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp –dport 53 -j ACCEPT
echo – DNS : [OK]
# NTP Out
iptables -t filter -A OUTPUT -p udp –dport 123 -j ACCEPT
echo – NTP : [OK]
# FTP Out
iptables -t filter -A OUTPUT -p tcp –dport 20:21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 30000:50000 -j ACCEPT
# FTP In
iptables -t filter -A INPUT -p tcp –dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp –dport 30000:50000 -j ACCEPT
iptables -t filter -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
echo – FTP : [OK]
# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp –dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 443 -j ACCEPT
# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp –dport 443 -j ACCEPT
echo – HTTP/HTTPS : [OK]
# Mail SMTP:25
iptables -t filter -A INPUT -p tcp –dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 25 -j ACCEPT
echo – SMTP : [OK]
# Mail POP3:110
iptables -t filter -A INPUT -p tcp –dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 110 -j ACCEPT
echo – POP : [OK]
# Mail IMAP:143
iptables -t filter -A INPUT -p tcp –dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 143 -j ACCEPT
echo – IMAP : [OK]
# Kloxo
iptables -t filter -A INPUT -p tcp –dport 7777:7778 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 7777:7778 -j ACCEPT
echo – Kloxo : [OK]
echo – Firewall [OK]
exit 0
;;
stop)
echo “Stopping Firewall: ”
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t filter -F
exit 0
;;
*)
echo “Usage: /etc/init.d/firewall {start|stop}”
exit 1
;;
esac
===================================
chmod 700 /etc/init.d/firewall
add firewall service:
chkconfig –add firewall
auto start firewall:
chkconfig –level 2345 firewall on
start firewall:
/etc/init.d/firewall start
===================================
If you have slave server, add this on the master
iptables -t filter -A INPUT -p tcp -s SLAVE_IP –dport 7779 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -d SLAVE_IP –dport 7779 -j ACCEPT
Note: replace SLAVE_IP with your Slave server IP.
===================================
Add this on slave server
iptables -t filter -A INPUT -p tcp -s MASTER_IP –dport 7779 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -d MASTER_IP –dport 7779 -j ACCEPT
Note: replace MASTER_IP with your Master server IP.
/etc/init.d/iptables stop
chkconfig –add firewall
chkconfig –level 2345 firewall on
/etc/init.d/firewall start
iptables -t filter -A OUTPUT -p tcp -d SLAVE_IP –dport 7779 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -d MASTER_IP –dport 7779 -j ACCEPT
Không có nhận xét nào:
Đăng nhận xét