Sample Header Ad - 728x90

Using IPTables to Block Ports to Class A Subnets While Allowing Web Ports (80/443)

1 vote
2 answers
2305 views
iptables firewall hardening
This is about a cPanel server which, like most servers, is under constant attack from lands afar. Considering that I only host to clients in the US and Canada, there is less of a reason to allow full access to Asia and South America, among other areas. Too many firewall rules can increase latency, or worse, crash your firewall. Still, due to the large amount of attacks every day, I've configured CSF to manage at most 7000 rules. Some days are lighter than others, but on the 1st, 671 IPs were blocked trying to access SMTP (669) and cPanel (2). To try and get this under better control, I thought about only allowing web access to everyone, and blocking specific large blocks from accessing FTP or SMTP. So, here is what I've placed in the CSF pre-rules [/usr/local/csf/bin/csfpre.sh]. iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 21:25 -s 1.0.0.0/8 -j DROP iptables -A INPUT -p tcp --dport 21:25 -s 2.0.0.0/8 -j DROP iptables -A INPUT -p tcp --dport 21:25 -s 112.0.0.0/8 -j DROP iptables -A INPUT -p tcp --dport 21:25 -s 113.0.0.0/8 -j DROP iptables -A INPUT -p tcp --dport 21:25 -s 117.0.0.0/8 -j DROP iptables -A INPUT -p tcp --dport 21:25 -s 190.0.0.0/8 -j DROP Now, I'm not entirely confident in my iptables skills, so I'd like opinions regarding this and certainly feedback if this is doing something bad. I do realize that this would block a massive amount of potential good email and any web developers in those areas hired to work on sites hosted on the server. My thought is that it is far far less probable that any valid email will be coming from these IP ranges. Also, I chose blocks based on my counts of attacks. Rather than load up the 6000-7000 actual IP blocks for Russia, for instance, I can reduce the firewall rules dramatically and keep it simple by only focusing on wholesale blocking entire Class A blocks. I used this site to examine exactly which countries would be blocked: tcpiputils.com
Asked by Exit (111 rep)
Jul 24, 2015, 09:34 PM
Last activity: Apr 11, 2025, 05:57 PM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "iptables"
More questions tagged "firewall"
More questions tagged "hardening"
Footer Ad - 728x90