Mengamankan Firewall Kloxo dengan IpTables
Iptables adalah firewall yang biasanya dipakai oleh OS Linux dan distributionnya. Jika anda menggunakan kloxo anda harus mengamankan beberapa hal yang perlu di setting mengenai pengaturan firewall pada OS anda. Di bawah ini ada beberapa dasar rules yang kita bisa tambahkan ke iptables.# Clear rules iptables -t filter -F iptables -t filter -X echo - Clear rules : [OK]# SSH In iptables -t filter -A INPUT -p tcp --dport 223 -j ACCEPT echo - SSH : [OK]# Don't break established connections iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT echo - established connections : [OK] # Block all connections by default iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP echo - Block all connections : [OK] # Loopback iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT echo - Loopback : [OK] # ICMP (Ping) iptables -t filter -A INPUT -p icmp -j ACCEPT iptables -t filter -A OUTPUT -p icmp -j ACCEPT echo - PING : [OK] # DNS In/Out iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT echo - DNS : [OK] # NTP Out iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT echo - NTP : [OK] # FTP Out iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT # FTP In iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 30000:50000 -j ACCEPT iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT echo - FTP : [OK] # HTTP + HTTPS Out iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT # HTTP + HTTPS In iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT echo - HTTP/HTTPS : [OK] # Mail SMTP:25 iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT echo - SMTP : [OK] # Mail POP3:110 iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT echo - POP : [OK] # Mail IMAP:143 iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT echo - IMAP : [OK] # Kloxo iptables -t filter -A INPUT -p tcp --dport 7777:7778 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 7777:7778 -j ACCEPT echo - Kloxo : [OK] echo - Firewall : [OK] #save iptables service iptables save echo - Firewall Saved : [OK] #restart firewall service iptables restart echo - Firewall restarted : [OK]
Jika anda ingin membuat pengamanan dari flooding DoS attack, anda bisa menambahkan rules di bawah ini.
# SYN flodding protecting rules # create new chains iptables -N syn-flood # limits incoming packets iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN # log attacks iptables -A syn-flood -j LOG --log-prefix "SYN flood: " # silently drop the rest iptables -A syn-flood -j DROP echo - SYN flooding protection : [OK]
Jika anda menggunakan master / slave dan ingin membuka port 7779 agar server master bisa mengaksesnya silahkan tambahkan rules seperti di bawah ini.
Untuk kloxo master
iptables -t filter -A INPUT -p tcp -s SLAVE_IP --dport 7779 -j ACCEPT iptables -t filter -A OUTPUT -p tcp -d SLAVE_IP --dport 7779 -j ACCEPT
iptables -t filter -A INPUT -p tcp -s MASTER_IP --dport 7779 -j ACCEPT iptables -t filter -A OUTPUT -p tcp -d MASTER_IP --dport 7779 -j ACCEPT
Thanks for reading and coming.
No comments:
Post a Comment