Iptables firewall & Debian Aptitude on Memset miniserver

Posted by robbiebow on 3 November, 2009 under geek | Read the First Comment

By trial and error, I found that you need port 3128 outgoing open to make Debian’s aptitude happy on a Memset hosted “miniserver” virtual machine.  You also need to accept passive FTP transfers for apt to work well (at least on the Memset machine this blog is hosted on). Here’s an example of the iptables settings I use. This is geared towards a typical web server set up.

To apply these settings, I follow this routine (as a superuser)

1. Upload this emergency get-out-of-jail iptables config to the server

2. Set up a cronjob to apply that config every 15 minutes

$ crontab -e

*/15 * * * * iptables-restore < /path/to/firewall.open.txt

3. Upload the example iptables settings to the server

4. Apply that config to iptables:

iptables-restore < /path/to/firewall.memset.txt

5. Test one can reach the web site, connect via SSH, and ping the server, but cannot FTP or connect to mail ports

6. Once happy, disable the cronjob created in step 2 above, and check the firewall is up with

iptables -L

et voila! the server should now be pretty well locked down whilst allowing apt to connect to repositories, a web server serve up web pages, users connect via SSH and respond to ping requests.