Use this iptables script for Web/Mail server security

Jack Wallen
Oct 3, 2009
Updated • Nov 30, 2012
Network
|
3

Security. Ah, security. It's the make or break for administrators on so many levels. For the Linux operating system you could go in so many directions with your security. You could go the graphical front-end and make life easy but lose some flexibility. Or you could go the far more challenging route and use the command line iptables. I will say the GUI tools have come a long way, but in some instances the ease of use the offer gets in the way of being able to granularly configure your server/network security.

When you spend a lot of time creating and administering the web/mail server combination, it's always good to have a solution that is easy to put in place. I have found one that I have used for a while now and trust its security and ease of use. This "system" uses a fairly complex iptables script that has just a single line that you will need to modify in order to have sound security for a web/mail server that serves up web pages via Apache on port 80 and mail via SMTP on port 25 and IMAP via port 143. Included in this script is the inclusion of port 25 for secure shell access.

You will be surprised how simple this script is to use. I have uploaded the script to a pastebin site which you can access using this address. Copy that script to your Linux server (for the sake of simplicity save it in ~/scripts, which you will create) and you are ready to set the system up.

Configuration

The only line you need to configure (unless you need to change the networking device name and/or want to include extra ports or remove ports from the script) is line 8. This line looks like:

SCRIPT_DIR="/PATH/TO/DIRECTORY"

What you want to have there is the location that will be filled with any IP address blocked by the firewall. For the purposes of this tutorial it will be saved in ~/scripts.

Once you have that edited you can save the file and call it start_iptables.sh. Now give the file executable permission with the command:

chmod u+x start_iptables.sh

Now create a new file called stop_iptables.sh. The contents of that file will be:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

Make that file executable with the command:

chmod u+x stop_iptables.sh

The former script will start your firewall, the latter script will stop it.

Starting this script

You can start and stop this script any time you feel like with the command:

sudo ~/scripts/start_iptables.sh

If there are no errors you should see something like:

Starting IPv4 Wall...

You can also check to see by listing all of your iptables chains with the command:

sudo iptables -L

Stopping the firewall is done with the command:

sudo ~/scripts/stop_iptables.sh

Start at bootup

Now let's make it such that the firewall script starts upon boot of the server (should the need arise).  Open up the /etc/rc.local file and add the line:

/PATH/TO/scripts/start_iptables.sh

before the "exit 0" line.

Where /PATH/TO/ is the explicit path to the ~/scripts directory (you can't use "~/" in rc.local).

The script will now start at boot.

Final thoughts

This easy to install firewall will add a level of saftey to your web/mail server that would be hard to come by with a GUI tool. And if you are using a headless (console only) server, it's the only way to go.

Advertisement

Previous Post: «
Next Post: «

Comments

  1. toby said on June 11, 2011 at 8:58 pm
    Reply

    Nice, thank you! Rule for ssh is redundant.

  2. Albinootje said on October 9, 2009 at 2:53 am
    Reply

    >> Included in this script is the inclusion of port 25 for secure shell access.

    You must have meant port 22 instead of port 25 here.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.