Writing Code Life Articles Projects RSS

Irrational Exuberance

You are writing a comment about Creating my Dream Server for Django, here is a quick summary:

Recently I redid my server to have a solid Django serving atmosphere: apache2, Python 2.5, memcached, lighttpd for serving static media. These are the cleaned up and formatted notes I used to guide myself through the installation process on my 256 meg SliceHost slice.

You are responding to this comment written by Ian on January 3rd 2008, 23:33.

Here are the steps that I used to set up iptables on my slice.

Note that these instructions assume that the iptables is currently configured to accept all connections, which is the original state for a new ubuntu slice.

Set up the iptables according to https://help.ubuntu.com/community/IptablesHowTo. Note that the SSH port might not be the standard port (22) for security reasons (it might have been changed to another number in your set up of ssh; see get started with your new ubuntu slice )

Also the line accepting connections on port 443 (the standard https port) is optional.

Become the root user, and set a shell variable naming your ssh port 

sudo -i
export SSH_PORT=<put your ssh port number here>

Make a new chain to log then drop disallowed connections (this is optional, but if not used then be sure to make the change described below when logging is not desired) 

iptables -N LOGNDROP

Then set up the chains 

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport $SSH_PORT -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT 
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -j LOGNDROP
iptables -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "Denied TCP: " --log-level 7
iptables -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied UDP: " --log-level 7
iptables -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "Denied ICMP: " --log-level 7
iptables -A LOGNDROP -j DROP

If you don't care about logging denied attempts (and didn't create the LOGNDROP chain above), change the line: 

iptables -A INPUT -j LOGNDROP

to 

iptables -A INPUT -j DROP

and don't bother with any more of the lines.

Take a look at the setup (if you are interested). 

iptables -L

To restore this iptables configuration after a reboot, save the iptables configuration in a new file /etc/iptables.up.rules and add a line at the end of the file /etc/network/interfaces to read it in 

iptables-save > /etc/iptables.up.rules
echo "pre-up iptables-restore < /etc/iptables.up.rules" >> /etc/network/interfaces

Stop being the root user 

exit

Please be aware that comment forms go stale after one hour.





Comments may make use of all MarkDown++ formating. Raw html will be escaped.

Quick Introduction to MarkDown++ Syntax

A highlighted code block:

@@ ruby
def a (b, c):
  b * c
end
@@

Other common languages work as well: scheme, python, java, html, etc.

Other markdown syntax:

 ### This is an h3 title

#### This is an h4 title

**this is bold**

*this is italics*

1. This is an
2. ordered list

* And an unordered
* list too

[this is a link](http://www.lethain.com/ "Lethain")
Powered by LifeFlow, Django, and BluePrint. Template by Will Larson.