Now using iptables as a firewall on the server. This server needs to allow the following services:
ssh – from anywhere
smtp/submission – from anywhere
http/https – from anywhere
imaps/pop3s – from anywhere
nfs – from our subnet only
mysql (though this will soon be turned off) – from localhost only
The one problem that we have is that some parts of nfs are randomly assigned port numbers. I needed to set these parts to a specific port and then allow that port through the firewall.
Edit /etc/sysconfig/nfs
MOUNTD_PORT="10004" RQUOTAD_PORT="10005" STATD_OUTGOING_PORT="10003" STATD_PORT="10002"
Edit /etc/modprobe.conf and add this line
# Set lockd to a port for iptables options lockd nlm_tcpport=10000 nlm_udpport=10001
Create /etc/sysconfig/iptables with the following:
# 29 May 2007 by MH *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [120351:14706650] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -j ACCEPT -A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT -A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT # Allow ssh logins from anyplace -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # Allow secure imap from anyplace -A RH-Firewall-1-INPUT -p tcp --dport 993 -j ACCEPT # Allow secure pop from anyplace -A RH-Firewall-1-INPUT -p tcp --dport 995 -j ACCEPT # Allow smtp and submission from anyplace -A RH-Firewall-1-INPUT -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 587 -j ACCEPT # Allow http and https from anyplace, https is for webmail -A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 443 -j ACCEPT # Allow portmap (111), ,rquotad(10005), mountd(10004), statd(10002 & 10003), nfsd(2049) and # lockd(10000 & 10001) from our subnet (for nfs) # rquotad, mountd and statd are set in /etc/sysconfig/iptables # lockd is set in /etc/modprobe.conf -A RH-Firewall-1-INPUT -s 10.135.102.0/255.255.255.0 -p tcp -m tcp --dport 111 -j ACCEPT -A RH-Firewall-1-INPUT -s 10.135.102.0/255.255.255.0 -p udp -m udp --dport 111 -j ACCEPT -A RH-Firewall-1-INPUT -s 10.135.102.0/255.255.255.0 -p tcp -m tcp --dport 2049 -j ACCEPT -A RH-Firewall-1-INPUT -s 10.135.102.0/255.255.255.0 -p udp -m udp --dport 2049 -j ACCEPT -A RH-Firewall-1-INPUT -s 10.135.102.0/255.255.255.0 -p tcp -m tcp --dport 10000:10005 -j ACCEPT -A RH-Firewall-1-INPUT -s 10.135.102.0/255.255.255.0 -p udp -m udp --dport 10000:10005 -j ACCEPT # Allow localhost to use unsecured imap on 143 (this is for squirrelmail) -A RH-Firewall-1-INPUT -s 127.0.0.1 -p tcp --dport 143 -j ACCEPT # Allow localhost to use mysql (3306) -A RH-Firewall-1-INPUT -s 127.0.0.1 -p tcp --dport 3306 -j ACCEPT -A RH-Firewall-1-INPUT -s 127.0.0.1 -p udp --dport 3306 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Then I reboot the machine to have the settings take effect.