Hi there,
I want to secure my VPS with IPtables and I have an issue to apply the firewall rules. Before that I wanted to be sure about the open ports on Kloxo MR, so I installed nmap and with the command # nmap localhost, i get the list below :
--------------------
Starting Nmap 5.51 (
http://nmap.org ) at 2015-03-05 10:20 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000011s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 988 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
--------------------
To create all my firewall rules, i create an executable file /etc/sysconfig/iptables with the content below :
--------------------
#!/bin/sh
# Vider les tables actuelles + personnelles
iptables -t filter -F
iptables -t filter -X
echo "Clear rules : OK"
# Interdire toute connexion entrante et sortante
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
echo "Block all connections : OK"
# SYN-Flood Protection
iptables -N syn-flood
iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN
iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD: "
iptables -A syn-flood -j DROP
echo "SYN-Flood Protection : OK"
# Ne pas casser les connexions etablies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "Established connections : OK"
# Autoriser loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo "Loopback : OK"
# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
# SSH In/Out
iptables -t filter -A INPUT -p tcp --dport 6490 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 6490 -j ACCEPT
echo "SSH : OK"
# DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
echo "DNS : OK"
# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
echo - NTP : OK
# HTTP + HTTPS Out/In
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
echo "HTTP/HTTPS : OK"
# FTP Out/In
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 30000:50000 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "FTP : OK"
# Mail SMTP/SMTPS
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 456 -j ACCEPT
echo "SMTP/SMTPS : OK"
# Mail Submission
iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
echo "Submission : OK"
# Mail POP3/POP3S
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
echo "POP/POP3S : OK"
# Mail IMAP/IMAPS
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 993 -j ACCEPT
echo "IMAP/IMAPS : OK"
# MySQL
iptables -t filter -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 3306 -j ACCEPT
echo "MySQL : OK"
# Kloxo
iptables -t filter -A INPUT -p tcp --dport 7777:7778 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 7777:7778 -j ACCEPT
echo "Kloxo : OK"
--------------------
The problem is when i want to apply my rules with the command #/etc/init.d/iptables start, I want the error below:
iptables: Applying firewall rules: iptables-restore: line 4 failed [FAILED]
I've tried to resolve it by myself but no way. I'll appreciate any help, thanks.