Empowering you with the knowledge to master Linux web hosting, DevOps and Cloud

 Linux Web Hosting, DevOps, and Cloud Solutions

Category: Plesk Page 2 of 3

Apache: Multiple SSL websites on a single IP address

Apache: Multiple SSL websites on a single IP address

Update: This is a new update from a cPanel Tech
“There is nothing to enable. As long as you are using cPanel & WHM version 11.38 on CentOS, RHEL, or CloudLinux version 6 or newer, SNI works out of the box”.

One of the frustrating limitations in supporting secure websites has been the inability to share IP addresses among SSL websites.
When website administrators and IT personnel are restricted to use a single SSL Certificate per socket (combination of IP Address and socket) it can cost a lot of money. Well we can actually share IP addresses for multiple secure websites. Solving this limitation required an extension to the Transport Layer Security (TLS) protocol that includes the addition of what hostname a client is connecting to when a handshake is initiated with a web server. The name of the extension is Server Name Indication (SNI). SNI is supported in Apache v2.2.12 , and OpenSSL v0.9.8j or later.

With SNI, you can have many virtual hosts sharing the same IP address and port, and each one can have its own unique certificate

Prerequisites to use SNI

Use OpenSSL 0.9.8f or later
Build OpenSSL with the TLS Extensions option enabled (option enable-tlsext; OpenSSL 0.9.8k and later has this enabled by default).
Apache must have been built with that OpenSSL (./configure –with-ssl=/path/to/your/openssl). In that case, mod_ssl will automatically detect the availability of the TLS extensions and support SNI.
Apache must use that OpenSSL at run-time, which might require setting LD_LIBRARY_PATH or equivalent to point to that OpenSSL, maybe in bin/envvars. (You’ll get unresolved symbol errors at Apache startup if Apache was built with SNI but isn’t finding the right openssl libraries at run-time.)

Setting up SNI with Apache

The configuration is pretty simple and straight forward, though I recommend making a backup of your existing httpd.conf file before proceeding.

# Ensure that Apache listens on port 443
Listen 443

# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443

# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off

# Because this virtual host is defined first, it will
# be used as the default if the hostname is not received
# in the SSL handshake, e.g. if the browser doesn't support
# SNI.
DocumentRoot /www/example2
ServerName www.linuxwebhostingsupport.in

# Other directives here
SSLEngine On
SSLCertificateFile /path/to/linuxwebhostingsupport.in.crt
SSLCertificateKeyFile /path/to/linuxwebhostingsupport.in.key
SSLCertificateChainFile /path/to/CA.crt

DocumentRoot /www/example2
ServerName www.abdulwahabmp.co.in

# Other directives here
SSLEngine On
SSLCertificateFile /path/to/abdulwahabmp.co.in.crt
SSLCertificateKeyFile /path/to/abdulwahabmp.co.in.key
SSLCertificateChainFile /path/to/CA.crt

 

That it!!!. Just restart APache service. Now go and check your Websites using https. That should be working.

Plesk support SNI from 10.2.x version onwards.

SNI will work on following Operating systems out of box

OpenSuSE Linux 11.3 or later.
Ubuntu Linux 10.4 or later.
Debian Linux 6.0 or later.
RedHat Linux 6.0 or later.
CentOS Linux 60.0 or later

Supported Desktop Browsers
Internet Explorer 7 and later
Firefox 2 and later
Opera 8 with TLS 1.1 enabled
Google Chrome:
Supported on Windows XP on Chrome 6 and later
Supported on Vista and later by default
OS X 10.5.7 in Chrome Version 5.0.342.0 and later
Chromium 11.0.696.28 and later
Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later).
Note: No versions of Internet Explorer on Windows XP support SNI

 

Plesk to cPanel Manual migration

 

Migrating accounts manually is a surprisingly simple task. All that needs to be done are the following:

  1. Populate /etc/trueuserdomains on the source server
  2. Package an account of your choice into a single file
  3. Copy the packaged account to the cPanel server
  4. Restore the account on the cPanel server

 

Steps:-

1. On the source server (Plesk), download the script that builds the list of accounts at /etc/trueuserdomains:

# wget http://httpupdate.cpanel.net/cpanelsync/transfers_DEVEL/pkgacct/updateuserdomains-universal

and the script that packages the accounts:
#wget http://httpupdate.cpanel.net/cpanelsync/transfers_DEVEL/pkgacct/packages-pXa


2. Make them both of the scripts executable:
# chmod +x updateuserdomains-universal
# chmod +x pkgacct-*


3. Execute updateuserdomains-universal:
# ./updateuserdomains-universal
Now there should be a plain text file at /etc/trueuserdomains that contains a list of accounts that can be packaged.

4. To package an account, select a user from /etc/trueuserdomains (we'll use "alice" in the example below), and run the pkgacct script that we downloaded in the first step.
# ./pkgacct-pXa alice

his will package the entire account to a single file here:
/home/cpmove-alice.tar.gz

The amount of time that this process takes will depend on the size of the account. I would strongly advise running the "screen" command before packaging (and restoring) accounts. This will allow the package/restore processes to continue even if you get disconnected from the server.

Also, if the /home directory is too small, you can specify which partition to use like this:
# ./pkgacct-pXa alice /disk1
where "/disk1" is only an example, and likely does not exist on your server. If it did, and if you ran that command, then you would end up with a file here:

/disk1/cpmove-alice.tar.gz
5. Copy the archive to the new server by running this from the source server:
# scp /home/cpmove-alice.tar.gz root@x.x.x.x:/home

6. On the cPanel server, after running "screen" (if you choose to use screen), run these commands to restore the account:
# cd /home
# /scripts/restorepkg cpmove-alice.tar.gz
Leave a comment if you have any doubts
Thanks!

Server migration

On occasion, you may want to move from one server to another. For example, you may be upgrading to a dedicated server or moving to a server with a different PHP deployment method. Server migration is a process in which data is moved from one server to another. Whatever the case, most people will agree that it is never a joyous event to switch server. Your sites will be down/unstable/inaccessible during the migration period and it could potentially lead to loss of sales. In this article, we are going to show you how you can migrate your site to a new server effortlessly and without any (or minimal) downtime. Below are the basic steps needs to be followed for a server migration with minimum downtime.

1. Prepare Your DNS

When you move your site(s) to a new server, you will likely get new IP addresses. The problem is that DNS servers cache domain name queries for as long as possible to provide the fastest response. Because of these DNS caching, once you change your IP, it can take up to three days before the changes propagate throughout the Internet. To keep this from happening, your first step in preparing for the migration is to change your DNS record TTL (Time To Live). This value designates how long your DNS entries should be cached. So the first thing you need to do before migrating is to lower the TTL to reasonable levels.

2. Set up Your New Server

Make sure your new server has the correct operating system installed and ready and that all hardware meets your applications specifications. Also setup the new IP addresses.

3. Tune Your Server

Check your file system and make sure your partitions are set up as you need them. Set up RAID if required. This is also the perfect time to implement any security practices within the OS and firewall (if installed). It’s important to complete these steps before you get too far because they’re much easier to do without content on the server.

4. Install Base Applications

Once you have installed the OS and setup the file system, you are ready to install the base applications, like the Web server, e-mail server, database server, PHP, etc.. Also verify the services are running fine on thr new server.

5. Begin Data Migration

Once the base applications are installed, you are ready to do the initial migration of your application data. This includes the database data, your application code files, mail server account configuration, logs, file caches, etc..

6. Bring your new server to life.

Once the data is migrated the server is configured to work everything correctly, you should change your sites domain DNS records to point to the new server address.

 

Data Migration

If you are using any Control Panels like cPanel, Plesk, etc., it rather easy to move data/accounts between servers as each control panel will give you option to move accounts.

cPanel Server to cPanel server migration

To migrate from one cPanel server to another, please do this:

1. Log into WHM as root on the new cPanel server

2. Click “Copy multiple accounts/packages from another server”

3. Fill in the required information like source server details and click “Fetch Account List”

You will then be given the option to choose which accounts and packages to transfer.

cPanel also does support migraring accounts from different control panel other than cPanel itself.

 

Server without a control panel

Rsync is a simple and very powerfull tools which can be used to transfer files between servers efficently.

First copy all the configurations files for the services like Webserver, Email server, etc. Then transfer the account data from old server.

Rsync example:-

#rsync -avz -e ssh /home root@remoteserverip:/home

-v: verbose, will tell you what file its on, how many left to check, etc.
-a: archive, will set most of the preferable options.
–progress: gives you per-file data transfer rates, and spinning progress bars if you’re into that sort of thing.
-z, –compress compress file data during the transfer

System files:-

Please note that we do not need to copy the server related files. We can exclude from the rync list. The most important excludes are the ones that reference hardware and system files that keep track of the server’s status while it’s running. That’s why directories like /boot, /proc, and /dev are essential excludes. The destination server should already have those directories and config files in place and they shouldn’t be overwritten.

Example
#rsync -avz -e ssh –exclude-from=”/home/exclude.txt” /home root@remoteserverip:/home

Finalizing the migration

Doing one pass got the more static files over to the new server. That’s good, but that may not be everything you needed to copy. An active database or a directory where a lot of files get created and deleted may have been copied but changed already. Or, more practically, they may have been in your exclude file.

To get those last files you’ll want to bring the services that use them down. That way you know the entire file will be migrated with no changes made after your last sync.

Edit your exclude file to remove references to the busy files you were holding off on then run the rsync command again.

Upgrading OpenSSH on CentOS 5 server

Upgrading openssh

RHEL5 and CentOS 5 run an older version of ssh, which makes doing a chroot sftp or scp more difficult.

Pre-requisites:=

You need to have following packages and it’s dependencies installed:-

Yum install -y rpm-devel rpm-build pam pam-devel perl openssl-devel tcp-wrappers

Steps:-

It is not recommended to build RPM as root user.

1. Login to server using SSH as a normal user.
2. In your home directory create a file .rpmmacros and add following entires to ot.

%_topdir %(echo $HOME)/rpmbuild

3. Next step is creating the build environment. In your home directory, create following directories:-

$mkdir rpmbuild
$cd rpmbuild
$mkdir BUILD RPMS SOURCES SPECS SRPMS

4. Download the latest openssh from their site. http://filedump.se.rit.edu/pub/OpenBSD/OpenSSH/portable/
5. Once it is downloaded, copy the tarball to the rpmbuild/SOURCES directory that you made.
6. You will also need to extract the tarball and copy over the spec file.

$tar xvf openssh-.tar.gz
$cd openssh-
$cp contrib/redhat/openssh.spec $HOME/rpmbuild/SPECS
$cd ..
$cp openssh-.tar.gz rpmbuild/SOURCES

7. Edit the spec file(HOME/rpmbuild/SPECS/openssh.spec).

Also change

%define no_x11_askpass 0
from 0 to 1. We don’t need the X11 accessories for this.

Do the same with

%define no_gnome_askpass 0
for the same reason. Lastly, comment out the line

%define build6x 0
As we’re not building for RHEL6.

8. Build rpm. In $HOME/rpmbuild/SPECS run the following command:-

$rpmbuild -ba openssh.spec
The above command should build and create several rpms in $HOME/rpmbuild/RPMS/i386

9. In the i386 directory holding the rpms run,

$rpm -Uvh openssh*
It should update openssh, openssh-server, and openssh-clients.

10. It will also create a new file in /etc/ssh called sshd_config.rpmnew. Make sure you have a copy of your old sshd_config. The rest of this will be done as root or with root privilege.

#cd /etc/ssh
#cp sshd_config sshd_config.orig
#mv sshd_config.rpmnew sshd_config

11. Restart the SSH service.

#/etc/init.d/sshd restart or
#service sshd restart

Check the versions of the OpenSSH installed

#rpm -qa | grep openssh

Restrict access to website using IP address in IIS 7

We can restrict the access to a website using IP addresses or domain name in IIS 7 easily using the “IP and Domain Restrictions” module. Unlike IIS 6, this module is not enabled by default when you install Internet Information Services (IIS). we need to install it. But don’t worry, this can also be done easily through Server Manager.

You can follow the below step by step instruction:-

 

Enabling the “IP and Domain Restrictions” module

1. Open the Server Manager by selecting the path Start > Administrative Tools > Server Manager.

2. Click “Add Role Services” link to add the required Role. Check the “IP and Domain Restrictions” check box in “Select Role Services” screen and click “Next” to continue and complete the module installation. If the module is already installed, it will show as “installed”.

 

 

 

Configuring the “IP and Domain Restrictions” module

 

1. Start Internet Information Services (IIS) and open “IP and Domain Restrictions”.

 

Click to enlarge the image

Click to enlarge the image

2. Inside IPv4 Addresses and Domain Restrictions, select “Add Allow Entry” or “Add Deny Entry” to add Allow or Deny entries. You can specify IP address, an IP address range or a Domain Name.

Click to enlarge the image

Click to enlarge the image

 

 

3. For setting default policy, Click on “Edit feature settings” and select “Allow” or “Deny” as required.

 

 

Click to enlarge the image

Click to enlarge the image

Note:-

1. Please note that configuring Allow or Deny restrictions using Domain name require reverse DNS look up every time a request arrives the server. Performing reverse DNS lookups is a potentially expensive operation that can severely degrade the performance of your IIS server.
2. IP entries are applied instantly without the need for a restart of the site or iis. The entries are processed in order so if you place deny and allow entries in the wrong order then you may lock the incorrect people out of the website.

Distributed Denial of service(DDOS)

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer or network resource unavailable to its intended users. The speciality of the DDOS is that, it relays attacks not from a single network/host like DOS. The DDOS attack will be launched from different dynamic networks which has already been compromised.

Types:-

Ping of death :-
Attacker deliverately sending a ping packet, normally 64 bytes, that is larger than the 65,535 bytes. Many computer systems cannot handle an IP packet larger than the maximum IP packet size of 65,535, and often causes computer systems crash. A ping packet of size greater than 65,535, can be sent if it is fragmented.When a receiving computer reassembles the packet, a buffer overflow occurs, which often causes computer to crash.

Ping of flood:-
An attacker overwhelming the victim’s network with ICMP Echo Request (ping) packets. A flood of ping traffic can consume singificant bandwidth on low to mid-speed networks bringing down a network to a crawl.

Smurf Attack:-
Smurf attack exploits the target by sending repeated ping request to broadcast address of the target network. The ping request packet often uses forged IP address (return address), which is the target site that is to receive the denial of service attack. The result will be lots of ping replies flooding back to the innocent, spoofed host. If number of hosts replying to the ping request is large enough, the network will no longer be able to receive real traffic.

SYN Floods :-
When establishing a session between TCP client and server, a hand-shaking message exchange occurs betwen a server and client. A session setup packet contains a SYN field that identifies the sequence in the message exchange. An attacker may send a flood of connection request and do not respond to the replies, which leaves the request packets in the buffer so that legitimate connection request can’t be accommodated.

Teardrop Attack :-
Teardrop attack exploits by sending IP fragment packets that are difficult to reassemble. A fragment packet identifies an offset that is used to assemble the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker’s IP puts a confusing offset value in the sebsequent fragments and if the receiving system doesn’t know how to handle such situation, it may cause the system to crash.

Prevetion:-

1. Install Intrusion Detection System (IDS)
2. Implement Sysctl. Prevent ping attacks (ping of death, ping of flood, and smurf attacks) by disabling ping responses on the network machines. Enable IP Spoofing protection, and TCP SYN Cookie Protection.
3. Install advanced firewall and DDoS utilities.
4. Install Apache mod_evasive and mod_security modules to protect against HTTP DDoS attacks.

Mod_security:-
Since DDOS normally targets HTTP. Its always good to have a filtering system for apache . So that the request gets analyzed before web server handles it.

Mod_evasive:-
Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:

1. Requesting the same page more than a few times per second
2. Making more than 50 concurrent requests on the same child per second
3. Making any requests while temporarily blacklisted (on a blocking list)

Note:-
1. Well there are no 100% prevention or protection against DDOS.
2. This steps won’t be enough if the DDOS attack is of very high volume.

How dns works

A DNS client “resolves” an IP address by sending a specially formatted request to a DNS server. The client has to know the address of one or more DNS servers in advance. The reply from the server may be a direct reply with the IP address associated with the hostname, a referral to another DNS server, or a response indicating the requested name can’t be found in DNS.

Typically, the request will ask the server to “recursive“, i.e. if it cannot answer the question from its own local memory, it should go ask other servers on behalf of the client. This behavior helps the local server build up its own cache of addresses frequently looked up.

Another form of query is called iterative query, where a client machine sends the request to a known DNS server , if that DNS server fail to resolve the domain name into a IP, then the client sends the request to another DNS and this process goes on and on until it get the required IP resolution by sending address resolution request to all its known DNS.If every known DNS fail to give the IP, then client goes to the root domain.

When you type a URL into your browser, it uses the following steps to locate the correct website:

A DNS client uses a resolver to request resolution of a host name to an IP address. The resolver is really just a special-purpose application that’s sole function is to act as an intermediary between name servers and various applications that need name resolution, such as Web browsers, e-mail applications, and so on. Here’s an example: Assume you fire up your browser and direct it to connect to www.mysite.com.

1. Your browser checks it’s cache (memory) to see if it knows which IP address the domain name resolves to. If it knows, it will resolve it and display the web page.
2. If the domain name is unable to be resolved, the browser will check your hosts file for a DNS entry.
3. If there’s no entry in the hosts file, the browser will check the default DNS server (specified via your computer’s network settings, /etc/resolv.conf). This is usually your ISP’s DNS server or your employer’s. If the default DNS server has an entry for that domain name, the browser will display the applicable website.
4. If the default name server has no cached results, it sends a DNS query to the root server for the .com domain.
5. The root server responds with the addresses of the name servers that are authoritative for the mysite.com domain.
6. Your ISP’s name server then builds another request for www.mysite.com and submits it to mysite.com’s name server, which responds with the IP address of www.mysite.com.
7. That information is passed back to your resolver, which passes it to your application.

Case insensitive url Aapche Webserver

How to enable Case-Insensitive url’s ?

Webserver: Apache

OS: Linux

One of our customer had opened ticket. He has a very interesting need. He wants his site urls  to be Case-insensitive . I will explain with examples:- He needs the following urls to work currently he is getting 404 errors for each request.

http://yourdomain.com/Yourpage.html

http://yourdomain.com/YourPage.html

We were unable to add rewrite rules in his htaccess files as we need to write rule for every single file that has a mixture of upper and lower case.

http://yourdomain.com/yourpage.html => This is the correct url

He needs this url http://yourdomain.com/Yourpage.html to load even if they have one spelling mistake or there is one capitalization error. This was found very strange. We have managed to fix the issue by adding an apache module server wide, which neutralise all the the upper case and lower case characters to a single format.

Solution: If you want requested URLs to be valid whether uppercase or lowercase letters are used and with one spelling mistake, “mod_speling” module needs to be enabled in apache.

The mod_speling module is part of the standard Apache distribution but is not enabled by default, so you need to explicitly enable it. When mod_speling is installed, it may be turned on for a particular scope (such as a directory, virtual host, or the entire server) by setting the CheckSpelling directive to On.

For making URL case-insensitive in cPanel:

First run belwow on Cpanel based server : /scripts/easyapache And select ‘Spelling’ from the available module list for apache. Once apache/php are recompiled with this option and easyapache finishes, you can put below code in the .htaccess or in the virtual host entry of the particular domain to apply it to any directory/directories :

< IfModule mod_speling.c > CheckCaseOnly On CheckSpelling On < / IfModule > This helped to fix this particular issue

Custom php.ini per domain in Plesk Windows server

There will always be the scenarios where we need to set some special php settings for a particular domain or for a particular directory. This can be easily done in a Linux server, but with Windows it is always issues. But we can done this windows servers also and tell you what i have verified this by myself.

Prerequisites:-

*Custom php,ini file only works with php handler as “cgi” and not with “fastcgi” nor with ISAPI extension. So you need to verify this before you proceed further.

Follow the below steps to set the correct php mode.

1. Log in to your Hosting Control Panel
2. Select your domain name
3. Under “Web Site” tab, click on “Web Hosting Settings”
4. Under “PHP Support”, select your desired “PHP Mode” settings(cgi mode)
5. Hit the “Ok” button to activate.

Assumptions:-

  • The default location of php.ini for PHP5 is the PleskPHP5 base directory %plesk_dir%AdditionalPleskPHP5 (Eg: c:Program FilesParallelsPleskAdditionalPleskPHP5). If you place an PHP info page, you can easily find out from where the current php settings is loaded.
  • The document root of the domain “maindomain.com” is “d:Inetpubvhostsmaindomain.comhttpdocs”. Please note that this may be different in your hosting environment.
  • The server I am working on is a x86 based server.
  • Plesk version is 10.3.1, but it should work with others also.

Turn off the register_globals

I will explain the procedures with an example to turn off the register globals . There are two ways to configure php values for a particular domain:-

1. By placing an customized php.ini page on the corresponding directory or in domain.
2. By creating a Windows registry value for the particular php settings.
Placing an customized php.ini page on the corresponding directory
You need to place the php.ini file in “maindomain.com/httpdocs” directory or if you want to apply the only to a addon domain or a directory, then use the directory “maindomain.com/httpdocs/addondomain.com”.

Follow the below steps:-

1. Copy the PHP version 5 (php.ini-recommended or php.ini) ini file from the PHP location %plesk_dir%\AdditionalPleskPHP5 to the location “maindomain.com/httpdocs”
2. Rename the copied file to the exact name as ‘php-cgi-fcgi.ini‘. This is the most important step and won’t work otherwise.
3. You can make the changes needed to the above ini file, say set the “register_globals = Off”.
3. Create a php info page the corresponding directory and verify it is loading the correct “php.ini” (check the loaded configuration file section). Also verify whether the value you have changed is now updated under the ‘PHP info’ page.

This should do the work. If this method doesn’t work for you, here is the second method.

Creating a Windows registry value

Even though this is a simple procedure, i do not recommend anyone to edit the Windows Registry because if you screw up anything with Registry, you will also screwed up 🙂

When running PHP on Windows, the configuration values can be modified on a per-directory basis using the Windows registry. The configuration values are stored in the registry key HKLMSOFTWAREPHP5Per Directory Values, in the sub-keys corresponding to the path names. For example, configuration values for the directory c:inetpubwwwroot would be stored in the key HKLMSOFTWAREPHP5Per Directory Valuescinetpubwwwroot. The settings for the directory would be active for any script running from this directory or any subdirectory of it. The values under the key should have the name of the PHP configuration directive and the string value.

Simply, you can only add individual php configuration value inside of php.ini through the registry, which means that you have to set up keys to the file path ( where the client’s hosting folder located ) and then add a string value, string name will be the php.ini configuration name and value will be how you want it to be. So for setting register_globals to off for the maindomain.com, you have to setup keys to the path “HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > PHP > Per Directory Values > C > Inetpub > vhosts > maindomain.com > httpdocs” and then add a string value, string name will be “register_globals” and value will be 0 to put register_globals= off.
Note:

For 32 bit Windows registry path is ,  HKLMSOFTWAREPHP5Per Directory Values
For x64 based Windows registry path is,  HKEY_LOCAL_MACHINESOFTWAREWow6432NodePHP5Per Directory Values

Reference:-

http://forum.parallels.com

http://www.php.net

IPTABLES complete cheatlist

Please note that the iptables rules are stored in the /etc/sysconfig/iptables file. If you view this file, you’ll see all the default rules.

1. Delete Existing Rules

Before you start building new set of rules, you might want to clean-up all the default rules, and existing rules. Use the iptables flush command as shown below to do this.

iptables -F
(or)
iptables –flush
service iptables save

2. Set Default Chain Policies

The default chain policy is ACCEPT. Change this to DROP for all INPUT, FORWARD, and OUTPUT chains as shown below.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

When you make both INPUT, and OUTPUT chain’s default policy as DROP, for every firewall rule requirement you have, you should define two rules. i.e one for incoming andone for outgoing.
Change default policy for INPUT/OUTPUT/FORWARD to ACCEPT. All inbound connections will be allowed

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

3.Block an IP for inbound connection

iptables -A INPUT -s 192.168.1.5 -j DROP
iptables -A INPUT -i eth0 -p tcp -s “$BLOCK_THIS_IP” -j DROP
4.Allow an IP for inbound connection

iptables -A INPUT -s 192.168.1.5 -j ACCEPT

5.Block outbound IP address

iptables -A OUTPUT -d <IP> -j DROP

6.Block outbound PORT

iptables -A OUTPUT -p tcp –dport <PORT> -j DROP

7.Block outbound IP:PORT

iptables -A OUTPUT -p tcp -d <IP> –dport <PORT> -j DROP

8.Allow port 2222 for inbound tcp connections

iptables -A INPUT -p tcp –dport 2222 -j ACCEPT

9.White list an IP

iptables -A INPUT -i eth0 -s <IP> -j ACCEPT

10.Open port 5666

iptables -I INPUT -p tcp -m tcp –dport 5666 -j ACCEPT
11.Allow ALL Incoming SSH

The following rules allow ALL incoming ssh connections on eth0 interface.

iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

12.Allow Incoming SSH only from a Sepcific Network

The following rules allow incoming ssh connections only from 192.168.100.X network.

iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

In the above example, instead of /24, you can also use the full subnet mask. i.e “192.168.100.0/255.255.255.0″.

13. Allow Incoming HTTP and HTTPS

The following rules allow all incoming web traffic. i.e HTTP traffic to port 80.

iptables -A INPUT -i eth0 -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT

The following rules allow all incoming secure web traffic. i.e HTTPS traffic to port 443.

iptables -A INPUT -i eth0 -p tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 443 -m state –state ESTABLISHED -j ACCEPT

14.Combine Multiple Rules Together using MultiPorts

When you are allowing incoming connections from outside world to multiple ports, instead of writing individual rules for each and every port, you can combine them together using the multiport extension as shown below.

The following example allows all incoming SSH, HTTP and HTTPS traffic.

iptables -A INPUT -i eth0 -p tcp -m multiport –dports 22,80,443 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport –sports 22,80,443 -m state –state ESTABLISHED -j ACCEPT

15.Allow Outgoing SSH

The following rules allow outgoing ssh connection. i.e When you ssh from inside to an outside server.

iptables -A OUTPUT -o eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

Please note that this is slightly different than the incoming rule. i.e We allow both the NEW and ESTABLISHED state on the OUTPUT chain, and only ESTABLISHED state on  the INPUT chain. For the incoming rule, it is vice versa.

16.Allow Outgoing SSH only to a Specific Network

The following rules allow outgoing ssh connection only to a specific network. i.e You an ssh only to 192.168.100.0/24 network from the inside.

iptables -A OUTPUT -o eth0 -p tcp -d 192.168.100.0/24 –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

17.Allow Ping from Outside to Inside

The following rules allow outside users to be able to ping your servers.
iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
19.Allow Loopback Access

You should allow full loopback access on your servers. i.e access using 127.0.0.1

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

20. Allow MySQL connection only from a specific network

iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 –dport 3306 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 3306 -m state –state ESTABLISHED -j ACCEPT

21.Prevent DoS Attack

The following iptables rule will help you prevent the Denial of Service (DoS) attack on your webserver.

iptables -A INPUT -p tcp –dport 80 -m limit –limit 25/minute –limit-burst 1000 -j ACCEPT
In the above example:
-m limit: This uses the limit iptables extension

–limit 25/minute: This limits only maximum of 25 connection per minute. Change this value based on your specific requirement
–limit-burst 1000: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.

22.Port forwarding using IPTables

Forward port 80 from IP address to another IP

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to <DESTIP>:80
iptables -t nat -A POSTROUTING -p tcp –dst <DESTIP> –dport 80 -j SNAT –to <SRCIP>
iptables -t nat -A OUTPUT –dst <SRC> -p tcp –dport 80 -j DNAT –to <DESTIP>:80

Removing the above rules
iptables -t nat -D PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to <DESTIP>:80
iptables -t nat -D POSTROUTING -p tcp –dst <DESTIP> –dport 80 -j SNAT –to <SRCIP>
iptables -t nat -d OUTPUT –dst <SRC> -p tcp –dport 80 -j DNAT –to <DESTIP>:80

23.List all the rules in the iptables

iptables  -L

24.Check an IP in the rule

iptables -nL | grep <IP>

25.Save the current iptables rules

iptables-save >  File_name

26.Restore iptable rules from the file

iptables-restore <  File_name

Page 2 of 3

Powered by WordPress & Theme by Anders Norén