### Recommended iptables rule set for IceWarp(R) Server # # *filter # ### DEFAULT POLICY :INPUT DROP :FORWARD DROP :OUTPUT ACCEPT # # ### BLOCK COMMON ATTACKS ### Reject loopback IP on INPUT chain -A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable # ### Force SYN packets check -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # ### Force Fragments packets check -A INPUT -f -j DROP # ### Drop XMAS packets -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # # ### ALLOW PORTS AND SERVICES ### Allow loopback interface -A INPUT -i lo -j ACCEPT # ### Allow ping and other ICMP requests: ### 8-Echo Request ### 0-Echo reply ### 3-Destination Unreachable ### 11-Time Exceeded # -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT # # ### Allow connections inicialized from inside -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # ### Allow TCP ports (for SSH and MySQL is recommended define source IPs), e.g. #-A INPUT -s 10.0.0.1/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT #-A INPUT -s 10.0.0.1/32 -p tcp -m state --state NEW -m tcp --dport 3036 -j ACCEPT # ### SSH Service -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # ### HTTP - IceWarp Control Service -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT # ### HTTPS - IceWarp Control Service -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT # ### SMTP - IceWarp SMTP Service -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT # ### IMAP SSL - IceWarp POP3 Service -A INPUT -p tcp -m tcp --dport 993 -m state --state NEW -j ACCEPT # ### POP3 SSL - IceWarp POP3 Service -A INPUT -p tcp -m tcp --dport 995 -m state --state NEW -j ACCEPT # ### SMTP SSL - IceWarp SMTP Service -A INPUT -p tcp -m tcp --dport 465 -m state --state NEW -j ACCEPT # ### POP3 - IceWarp POP3 Service -A INPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT # ### IMAP - IceWarp POP3 Service -A INPUT -p tcp -m tcp --dport 143 -m state --state NEW -j ACCEPT # ### SOCKS - IceWarp Control Service -A INPUT -p tcp -m tcp --dport 1080 -m state --state NEW -j ACCEPT # ### XMPP - IceWarp IM Service -A INPUT -p tcp -m tcp --dport 5222 -m state --state NEW -j ACCEPT # ### XMPP SSL - IceWarp IM Service -A INPUT -p tcp -m tcp --dport 5223 -m state --state NEW -j ACCEPT # ### SIP - IceWarp IM Service -A INPUT -p tcp -m tcp --dport 5060 -m state --state NEW -j ACCEPT # ### SIP SSL - IceWarp IM Service -A INPUT -p tcp -m tcp --dport 5061 -m state --state NEW -j ACCEPT # ### XMPP - IceWarp IM Service -A INPUT -p tcp -m tcp --dport 5269 -m state --state NEW -j ACCEPT # ### OutlookSync Autoresponder - This port needs to be opened ### if you are using OutlookSync Autoresponder # -A INPUT -p tcp -m tcp --dport 5229 -m state --state NEW -j ACCEPT # # ### Allow UDP ports # ### Minger - IceWarp Control Service -A INPUT -p udp -m udp --dport 4096 -m state --state NEW -j ACCEPT # ### SIP - IceWarp IM Service -A INPUT -p udp -m udp --dport 5060 -m state --state NEW -j ACCEPT # ### SIP multiple ports - IceWarp IM Service -A INPUT -p udp -m state --state NEW -m udp -m multiport --dports 10000:10255 -j ACCEPT # # ### OPTIONAL SERVICES ### These TCP ports are disabled by default. They can by opened if necessary # ### FTP Service #-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT # ### FTPS Service #-A INPUT -p tcp -m tcp --dport 990 -m state --state NEW -j ACCEPT # ### FTP multiple ports - open in case if is port 21 opened # -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 4048:5191 -j ACCEPT # ### RAZER2 - spam-detection-and-filtering #-A INPUT -p tcp -m tcp --dport 2703 -m state --state NEW -j ACCEPT # ### SMTP e-mail message submission port, IceWarp SMTP service #-A INPUT -p tcp -m tcp --dport 587 -m state --state NEW -j ACCEPT # ### Minger SSL, IceWarp Control Service #-A INPUT -p tcp -m tcp --dport 4070 -m state --state NEW -j ACCEPT # ### Lightweight Directory Access Protocol (LDAP) #-A INPUT -p tcp -m tcp --dport 389 -m state --state NEW -j ACCEPT # ### Lightweight Directory Access Protocol over TLS/SSL (LDAPS) #-A INPUT -p tcp -m tcp --dport 636 -m state --state NEW -j ACCEPT # ### Alternate HTTP IceWarp Control Service #-A INPUT -p tcp -m tcp --dport 32000 -m state --state NEW -j ACCEPT # ### Alternate HTTPS IceWarp Control Service #-A INPUT -p tcp -m tcp --dport 32001 -m state --state NEW -j ACCEPT # # ### LOGGING SERVICE #-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # # ### Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j REJECT --reject-with icmp-port-unreachable COMMIT