IPTables Question

big_nerd

I have to setup IPTables - I have to admit server administration isn't my strongest suit.

Here we go:

My Current IPTables is pretty well open.

I have (through reading) made fwrules.sh, which is what I would like (i think)

# cat fwrules.sh
!/bin/sh
# Allow outgoing traffic and disallow any passthroughs

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Allow traffic already established to continue

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow ssh, dns, ftp and web services (including cPanel)

iptables -A INPUT -p tcp --dport ssh -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport domain -i eth0 -j ACCEPT
#iptables -A INPUT -p tcp --dport ldap -i eth0 -j ACCEPT
#iptables -A INPUT -p udp --dport ldap -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport ftp -i eth0 -j ACCEPT
iptables -A INPUT -p udp --dport ftp -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport ftp-data -i eth0 -j ACCEPT
iptables -A INPUT -p udp --dport ftp-data -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 2082 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 2086 -i eth0 -j ACCEPT

# Allow local loopback services

iptables -A INPUT -i lo -j ACCEPT

# Allow pings

iptables -I INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -I INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -I INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

And Lastly, I have a flush command (in case I get locked out - to be run via CRON 5 mins after)

#/bin/sh
iptables --flush

Now I have the following questions:

Do these firewall rules seem ok? I will be changing the SSHD port so I am assuming

iptables -A INPUT -p tcp --dport ssh -i eth0 -j ACCEPT

Becomes (assuming I make it 1234)

iptables -A INPUT -p tcp --dport 1234 -i eth0 -j ACCEPT

Also - I have 3 IP addresses setup (its a virtualized box) - Network: venet0:0, venet0:1, and venet0:2

I only wish to allow SSH connections through venet0:0 (I have reserved this ip address not be used with any public/web services)

I also want to restrict cPanel Ports to only be allowed through that IP, Ports 2082 and 2086.

Any help is appreciated ..

Thanks..