kb: 2011

Friday, November 11, 2011

Configuración sitio alta disponibilidad django

Instalación Java

sudo add-apt-repository "deb http://archive.canonical.com/ lucid partner"

sudo apt-get update

sudo apt-get install sun-java6-jre

sudo update-alternatives --config java

Instalación Python, Git, y Librerías necesarias

sudo apt-get install python-dev python-setuptools libmysqlclient-dev git-core mercurial libxml2-dev libxslt1-dev libjpeg-dev libfreetype6-dev liblcms1-dev python-tk gettext

Crear copia del repositorio

su - web

cd /export/web/

mkdir domain.com

copiar archivos al directorio

Preparación ambiente virtual del sitio

su - web

cd /export/web/domain.com

virtualenv domain_env --no-site-packages

source domain_env/bin/activate

pip install -r /domain/requirements.txt

Archivo configuración django_wsgi.py

Creamos el siguiente archivo.

sudo vim /export/web/domain.com/django_wsgi.py

Y colocamos las siguientes lineas.

import os

os.environ['DJANGO_SETTINGS_MODULE'] = 'site.settings'

import django.core.handlers.wsgi

application = django.core.handlers.wsgi.WSGIHandler()

Ahora se crea el archivo django.wsgi

sudo vim /export/web/domain.com/domain/django.wsgi

Colocamos las siguientes lineas

# coding: utf-8

SITE_DIRS = ['/export/web/domain.com/domain_env/lib/python2.6/site-packages']

import sys

import site

import os

# Remember original sys.path.

prev_sys_path = list(sys.path)

# Add each new site-packages directory.

for directory in SITE_DIRS:

site.addsitedir(directory)

# Reorder sys.path so new directories at the front.

new_sys_path = []

for item in list(sys.path):

if item not in prev_sys_path:

new_sys_path.append(item)

sys.path.remove(item)

new_sys_path.append('/export/web/domain.com')

new_sys_path.append('/export/web/domain.com/domain')

sys.path[:0] = new_sys_path

import django.core.handlers.wsgi

os.environ['DJANGO_SETTINGS_MODULE'] = 'settings'

os.environ['PYTHON_EGG_CACHE'] = '/tmp'

application = django.core.handlers.wsgi.WSGIHandler()

Instalación y configuración uWSGI

Se instala los archivos necesarios para compilar el modulo uWSGI para apache, y se baja la ultima versión del codigo fuente del modulo.

sudo apt-get install apache2-dev

su - root

mkdir -p /export/src

cd /export/src

wget http://projects.unbit.it/uwsgi/browser/apache2/mod_uwsgi.c?format=txt -o mod_uwsgi.c

apxs2 -i -c mod_uwsgi.c

echo "LoadModule uwsgi_module /usr/lib/apache2/modules/mod_uwsgi.so" > \

/etc/apache2/mods-available/uwsgi.load

a2enmod uwsgi

/etc/init.d/apache2 restart

Instalando uWSGI con PIP

pip install uwsgi

Creamos el archivo configuración uwsgi.xml

sudo vim /export/web/domain.com/uwsgi.xml

y colocamos lo siguiente

<uwsgi>

<max-requests>100</max-requests>

<memory-report/>

<limit-as>1024</limit-as>

<buffer-size>64768</buffer-size>

<socket-timeout>10</socket-timeout>

<socket>/tmp/domain.sock</socket>

<home>/export/web/domain.com/domain_env</home>

<pythonpath>/export/web/domain.com</pythonpath>

<pythonpath>/export/web/domain.com/domain</pythonpath>

<touch-reload>/export/web/domain.com/domain/django.wsgi</touch-reload>

<module>django_wsgi</module>

</uwsgi>

Se crea el script que inicia el servicio

sudo vim /etc/init.d/uwsgi

Y se coloca lo siguiente:

#!/bin/bash

# uwsgi - Use uwsgi to run python and wsgi web apps.

# chkconfig: - 85 15

# description: Use uwsgi to run python and wsgi web apps.

# processname: uwsgi

PATH=/sbin:/bin:/usr/sbin:/usr/bin

DAEMON=/usr/local/bin/uwsgi

OWNER=root

NAME=domain.com

DESC=domain.com

test -x $DAEMON || exit 0

set -e

get_pid() {

if [ -f /var/run/$NAME.pid ]; then

echo `cat /var/run/$NAME.pid`

}

DAEMON_OPTS=" --uid www-data --gid www-data -x /export/web/$NAME/uwsgi.xml -d /var/log/uwsgi/$NAME.log --pidfile /var/run/$NAME.pid"

case "$1" in

start)

echo -n "Starting $DESC: "

PID=$(get_pid)

if [ -z "$PID" ]; then

[ -f /var/run/$NAME.pid ] && rm -f /var/run/$NAME.pid

touch /var/run/$NAME.pid

chown $OWNER /var/run/$NAME.pid

su - $OWNER -pc "$DAEMON $DAEMON_OPTS"

echo "$NAME."

;;

stop)

echo -n "Stopping $DESC: "

PID=$(get_pid)

echo $PID

[ ! -z "$PID" ] && kill -s 3 $PID &> /dev/null

if [ $? -gt 0 ]; then

echo "was not running"

exit 1

else

echo "$NAME."

rm -f /var/run/$NAME.pid &> /dev/null

;;

reload)

echo "Reloading $NAME"

PID=$(get_pid)

[ ! -z "$PID" ] && kill -s 1 $PID &> /dev/null

if [ $? -gt 0 ]; then

echo "was not running"

exit 1

else

echo "$NAME."

rm -f /var/run/$NAME.pid &> /dev/null

;;

force-reload)

echo "Reloading $NAME"

PID=$(get_pid)

[ ! -z "$PID" ] && kill -s 15 $PID &> /dev/null

if [ $? -gt 0 ]; then

echo "was not running"

exit 1

else

echo "$NAME."

rm -f /var/run/$NAME.pid &> /dev/null

;;

restart)

$0 stop

sleep 2

$0 start

;;

status)

#killall -10 $DAEMON

;;

N=/etc/init.d/$NAME

echo "Usage: $N {start|stop|restart|reload|force-reload|status}" >&2

exit 1

;;

esac

exit 0

Se le asignan permisos de ejecución

sudo chmod +x /etc/init.d/uwsgi

Se inicia el servicio

sudo /etc/init.d/uwsgi start

Y se agrega en la lista de servicios que se ejecutan al iniciar el sistema

sudo apt-get install sysv-rc-conf
sudo sysv-rc-conf

Configuración Apache

Se crea el archivo de configuración del virtualhost

sudo vim /etc/apache2/site-available/domain.com

Con la siguiente información.

ServerName domain.com

ServerAlias domain.interalia.net

DocumentRoot "/export/web/domain.com/www"

SetHandler uwsgi-handler

uWSGISocket /tmp/domain.sock

</Location>

LogLevel warn

CustomLog /var/log/apache2/domain.com-access.log combined

ErrorLog /var/log/apache2/domain.com-error.log

</VirtualHost>

Activamos el sitio y recargamos la configuración.

sudo a2ensite domain.com

sudo /etc/init.d/apache2 reload

Instalación ultima version estable Nginx

sudo apt-get install python-software-properties

sudo -s

nginx=stable

add-apt-repository ppa:nginx/$nginx

apt-get update

apt-get install nginx

Se crean los siguientes archivos

vim /etc/nginx/conf.d/osam.conf

## General Options

ignore_invalid_headers off;

keepalive_requests 100;

#limit_conn_zone $binary_remote_addr 5m;

recursive_error_pages on;

#sendfile on;

server_name_in_redirect off;

server_tokens off;

## TCP options

#tcp_nopush on;

#tcp_nodelay on;

## Compression

#gzip on;

gzip_static on;

gzip_http_version 1.0;

#gzip_http_version 1.1;

gzip_comp_level 6;

gzip_min_length 100;

gzip_proxied any;

gzip_types text/plain text/css text/xml image/x-icon image/gif application/json application/x-javascript application/xml application/

xml+rss text/javascript;

gzip_vary on;

# make sure gzip does not lose large gzipped js or css files

# see http://blog.leetsoft.com/2007/7/25/nginx-gzip-ssl

gzip_buffers 16 8k;

# Disable gzip for certain browsers.

#gzip_disable “MSIE [1-6].(?!.*SV1)”;

## Global SSL options

ssl_ciphers HIGH:!ADH:!MD5;

ssl_prefer_server_ciphers on;

ssl_protocols TLSv1;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 5m;

## Proxy options

proxy_redirect off;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_connect_timeout 300;

proxy_send_timeout 90;

proxy_read_timeout 90;

proxy_buffer_size 16k;

proxy_buffers 32 16k;

proxy_busy_buffers_size 64k;

proxy_buffering on;

proxy_cache_min_uses 3;

proxy_cache_path /usr/local/nginx/proxy_temp/ levels=1:2 keys_zone=cache:10m inactive=10m max_size=1000M;

proxy_cache_valid any 10m;

proxy_ignore_client_abort off;

proxy_intercept_errors on;

proxy_next_upstream error timeout invalid_header;

## uWSGI

#upstream uwsgi_main {

# server 127.0.0.1:5050;

# The country IP database

#geoip_country /usr/share/GeoIP/GeoIP.dat;

vim /etc/nginx/sites-available/domain.com

server {

add_header Cache-Control public;

server_name domain.interalia.net 206.80.40.111 10.164.90.16;

access_log /var/log/nginx/domain.com-access.log;

error_log /var/log/nginx/domain.com-error.log;

root /export/web/domain.com/www;

## Only allow GET and HEAD reques:qt methods

#if ($request_method !~ ^(GET|HEAD)$ ) {

# return 444;

## Deny illegal Host headers

#if ($host !~* ^domain.com$ ) {

# return 444;

## Deny certain User-Agents (case insensitive)

## The ~* makes it case insensitive as opposed to just a ~

#if ($http_user_agent ~* (Baiduspider|Jullo|httperf) ) {

# return 444;

## Serve an empty 1x1 gif _OR_ an error 204 (No Content) for favicon.ico

location = /favicon.ico {

#empty_gif;

return 204;

}

location / {

proxy_pass http://127.0.0.1:8080;

}

location ~ ^/(media|static) {

expires 30d;

root /export/web/domain.com/domain;

if ($request_filename ~* ^.*?/([^/]*?)$)

{

set $filename $1;

}

if ($filename ~* ^.*?\.(eot)|(ttf)|(woff)$){

add_header Access-Control-Allow-Origin *;

}

location /gmedia {

expires 30d;

alias /export/web/domain.com/domain.com/_generated_media;

if ($request_filename ~* ^.*?/([^/]*?)$)

{

set $filename $1;

}

if ($filename ~* ^.*?\.(eot)|(ttf)|(woff)$){

add_header Access-Control-Allow-Origin *;

}

Se inicia el servicio

$ sudo /etc/init.d/nginx start

Para obtener los paquetes a instalar
pip freeze --local

Aparece una lista como la siguientes.
Django==1.3.1
Fabric==1.2.2
MySQL-python==1.2.3
PIL==1.1.7
South==0.7.3
Whoosh==2.1.0
argparse==1.2.1
distribute==0.6.21
django-admin-tools==0.4.0
django-appmedia==1.0.1
-e hg+https://bitbucket.org/wnielson/django-chronograph@f1b471b4ef84b4efea4c1d764968a833d8aaf794#egg=django_chronograph-dev
django-classy-tags==0.3.3.1
django-cms==2.1.3
django-debug-toolbar==0.8.5
-e git://github.com/wardi/django-filebrowser-no-grappelli.git@0be5a31a703c1bf656b0fe244343d6017e3e6419#egg=django_filebrowser-dev
django-haystack==1.2.4
django-mediagenerator==1.10.4
django-modeltranslation==0.3.2
django-pagination==1.0.7
django-rosetta==0.6.0
django-taggit==0.9.3
django-tinymce==1.5.1a2
django-uni-form==0.8.0
gdata==2.0.15
ipython==0.11
lxml==2.3.1
mutagen==1.20
paramiko==1.7.7.1
pycrypto==2.3
python-dateutil==1.5
python-memcached==1.47
simplejson==2.1.6
slimmer==0.1.30
sorl-thumbnail==11.05.2
suds==0.4

Parches
su - web
cd /export/web/dominio.com
source dominio_env/bin/activate
cd /export/web/domino.com/dominios_env/lib/python2.6/site-packages/cms

NGINX
/etc/nginx/nginx.conf
/etc/nginx/conf.d/osam.conf
/etc/nginx/sites-available/dominio.com
/etc/nginx/sties-available/s.dominio.com

MySQL

CREATE DATABASE `dominio` /*!40100 DEFAULT CHARACTER SET latin1 */
mysql -uroot -p dominio < dominio.sql
SET PASSWORD FOR 'usuario'@'localhost' = PASSWORD('123456');

GenerateMedia
cd /export/web/dominio.com
source dominio/bin/activate
python manage.py collectstatic --noinput && python manage.py generatemedia
python manage.py makemessages -a && python manage.py makemessages -d djangojs -a
python manage.py makemessages -a

Ajustes del sistema operatico http://www.cyberciti.biz/faq/linux-tcp-tuning/

Tuesday, October 18, 2011

Iptables en Ubuntu

Nos basamos de los scripts de iRedMail para esta configuración.

vim /etc/init.d/iptables

#!/usr/bin/env bash

#---------------------------------------------------------------------

# This file is part of iRedMail, which is an open source mail server

# solution for Red Hat(R) Enterprise Linux, CentOS, Debian and Ubuntu.

# iRedMail is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# iRedMail is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with iRedMail. If not, see <http://www.gnu.org/licenses/>.

#---------------------------------------------------------------------

### BEGIN INIT INFO

# Provides: iptables

# Required-Start: $network $syslog

# Required-Stop: $network $syslog

# Default-Start: 2 3 4 5

# Default-Stop: 0 1 6

# Short-Description: Control iptables firewall.

### END INIT INFO

# This init.d script is used to control iptables, based on

# /etc/init.d/iptables on Red Hat Enterprise Linux 5.3, modified

# by Zhang Huangbin (michaelbibby@gmail.com), iRedMail project

# (http://www.iredmail.org/).

# config: /etc/default/iptables

# config: /etc/default/iptables-config

# Source function library.

. /lib/lsb/init-functions

IPTABLES='iptables'

IPTABLES_DATA="/etc/default/$IPTABLES"

IPTABLES_CONFIG="/etc/default/${IPTABLES}-config"

IPV="${IPTABLES%tables}" # ip for ipv4 | ip6 for ipv6

PROC_IPTABLES_NAMES="/proc/net/${IPV}_tables_names"

VAR_SUBSYS_IPTABLES="/var/lock/subsys/$IPTABLES"

[ -d $(dirname ${VAR_SUBSYS_IPTABLES}) ] || mkdir -p $(dirname ${VAR_SUBSYS_IPTABLES})

if [ ! -x /sbin/$IPTABLES ]; then

log_daemon_msg "/sbin/$IPTABLES does not exist." "iptables"

exit 0

if lsmod 2>/dev/null | grep -q ipchains ; then

log_daemon_msg "ipchains and $IPTABLES can not be used together." "iptables"

exit 0

# Old or new modutils

/sbin/modprobe --version 2>&1 | grep -q module-init-tools \

&& NEW_MODUTILS=1 \

|| NEW_MODUTILS=0

# Default firewall configuration:

IPTABLES_MODULES=""

IPTABLES_MODULES_UNLOAD="yes"

IPTABLES_SAVE_ON_STOP="no"

IPTABLES_SAVE_ON_RESTART="no"

IPTABLES_SAVE_COUNTER="no"

IPTABLES_STATUS_NUMERIC="yes"

# Load firewall configuration.

[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"

rmmod_r() {

# Unload module with all referring modules.

# At first all referring modules will be unloaded, then the module itself.

local mod=$1

local ret=0

local ref=

# Get referring modules.

# New modutils have another output format.

[ $NEW_MODUTILS = 1 ] \

&& ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \

|| ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1`

# recursive call for all referring modules

for i in $ref; do

rmmod_r $i

let ret+=$?;

done

# Unload module.

# The extra test is for 2.6: The module might have autocleaned,

# after all referring modules are unloaded.

if grep -q "^${mod}" /proc/modules ; then

modprobe -r $mod > /dev/null 2>&1

let ret+=$?;

return $ret

}

flush_n_delete() {

# Flush firewall rules and delete chains.

[ -e "$PROC_IPTABLES_NAMES" ] || return 1

# Check if firewall is configured (has tables)

tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`

[ -z "$tables" ] && return 1

log_daemon_msg "Flushing firewall rules" "iptables"

ret=0

# For all tables

for i in $tables; do

# Flush firewall rules.

$IPTABLES -t $i -F;

let ret+=$?;

# Delete firewall chains.

$IPTABLES -t $i -X;

let ret+=$?;

# Set counter to zero.

$IPTABLES -t $i -Z;

let ret+=$?;

done

[ $ret -eq 0 ] && log_end_msg 0 || log_end_msg 1

return $ret

}

set_policy() {

# Set policy for configured tables.

policy=$1

# Check if iptable module is loaded

[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1

# Check if firewall is configured (has tables)

tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`

[ -z "$tables" ] && return 1

log_daemon_msg "Setting chains to policy $policy"

ret=0

for i in $tables; do

echo -n " $i"

case "$i" in

raw)

$IPTABLES -t raw -P PREROUTING $policy \

&& $IPTABLES -t raw -P OUTPUT $policy \

|| let ret+=1

;;

filter)

$IPTABLES -t filter -P INPUT $policy \

&& $IPTABLES -t filter -P OUTPUT $policy \

&& $IPTABLES -t filter -P FORWARD $policy \

|| let ret+=1

;;

nat)

$IPTABLES -t nat -P PREROUTING $policy \

&& $IPTABLES -t nat -P POSTROUTING $policy \

&& $IPTABLES -t nat -P OUTPUT $policy \

|| let ret+=1

;;

mangle)

$IPTABLES -t mangle -P PREROUTING $policy \

&& $IPTABLES -t mangle -P POSTROUTING $policy \

&& $IPTABLES -t mangle -P INPUT $policy \

&& $IPTABLES -t mangle -P OUTPUT $policy \

&& $IPTABLES -t mangle -P FORWARD $policy \

|| let ret+=1

;;

let ret+=1

;;

esac

done

[ $ret -eq 0 ] && log_end_msg 0 || log_end_msg 1

return $ret

}

start() {

# Do not start if there is no config file.

[ -f "$IPTABLES_DATA" ] || return 1

log_daemon_msg "Applying $IPTABLES firewall rules"

OPT=

[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"

$IPTABLES-restore $OPT $IPTABLES_DATA

if [ $? -eq 0 ]; then

log_end_msg 0

else

log_end_msg 1; return 1

# Load additional modules (helpers)

if [ -n "$IPTABLES_MODULES" ]; then

echo -n "Loading additional $IPTABLES modules"

ret=0

for mod in $IPTABLES_MODULES; do

echo -n "$mod "

modprobe $mod > /dev/null 2>&1

let ret+=$?;

done

[ $ret -eq 0 ] && log_end_msg 0 || log_end_msg 1

touch $VAR_SUBSYS_IPTABLES

return $ret

}

stop() {

# Do not stop if iptables module is not loaded.

[ -e "$PROC_IPTABLES_NAMES" ] || return 1

flush_n_delete

set_policy ACCEPT

if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then

echo -n "Unloading $IPTABLES modules"

ret=0

rmmod_r ${IPV}_tables

let ret+=$?;

rmmod_r ${IPV}_conntrack

let ret+=$?;

[ $ret -eq 0 ] && log_end_msg 0 || log_end_msg 1

rm -f $VAR_SUBSYS_IPTABLES

return $ret

}

save() {

# Check if iptable module is loaded

[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1

# Check if firewall is configured (has tables)

tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`

[ -z "$tables" ] && return 1

echo -n "Saving firewall rules to $IPTABLES_DATA"

OPT=

[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"

ret=0

TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \

&& chmod 600 "$TMP_FILE" \

&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \

&& size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \

|| ret=1

if [ $ret -eq 0 ]; then

if [ -e $IPTABLES_DATA ]; then

cp -f $IPTABLES_DATA $IPTABLES_DATA.save \

&& chmod 600 $IPTABLES_DATA.save \

|| ret=1

if [ $ret -eq 0 ]; then

cp -f $TMP_FILE $IPTABLES_DATA \

&& chmod 600 $IPTABLES_DATA \

|| ret=1

[ $ret -eq 0 ] && log_end_msg 0 || log_end_msg 1

echo

rm -f $TMP_FILE

return $ret

}

status() {

tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`

# Do not print status if lockfile is missing and iptables modules are not

# loaded.

# Check if iptable module is loaded

if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$tables" ]; then

echo "Firewall is stopped."

return 1

# Check if firewall is configured (has tables)

if [ ! -e "$PROC_IPTABLES_NAMES" ]; then

echo "Firewall is not configured. "

return 1

if [ -z "$tables" ]; then

echo "Firewall is not configured. "

return 1

NUM=

[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"

VERBOSE=

[ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"

COUNT=

[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"

for table in $tables; do

echo "Table: $table"

$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo

done

return 0

}

restart() {

[ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save

stop

start

}

case "$1" in

start)

stop

start

RETVAL=$?

;;

stop)

[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save

stop

RETVAL=$?

;;

restart)

restart

RETVAL=$?

;;

condrestart)

[ -e "$VAR_SUBSYS_IPTABLES" ] && restart

;;

status)

status

RETVAL=$?

;;

panic)

flush_n_delete

set_policy DROP

RETVAL=$?

;;

save)

save

RETVAL=$?

;;

echo "Usage: $0 {start|stop|restart|condrestart|status|panic|save}"

exit 1

;;

esac

exit $RETVAL

Se le asignan permisos de ejecución.

chmod +x /etc/init.d/iptables

Agregamos las reglas en el archivo de configuración

vim /etc/default/iptables

#---------------------------------------------------------------------

# This file is part of iRedMail, which is an open source mail server

# solution for Red Hat(R) Enterprise Linux, CentOS, Debian and Ubuntu.

# iRedMail is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# iRedMail is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with iRedMail. If not, see <http://www.gnu.org/licenses/>.

#---------------------------------------------------------------------

# Sample iptables rules. It should be localted at:

# /etc/sysconfig/iptables

# Shipped within iRedMail project:

# * http://iRedMail.googlecode.com/

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [0:0]

# Keep state.

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# http/https, smtp/smtps, pop3/pop3s, imap/imaps, ssh

#-A INPUT -p tcp -m multiport --dport 80,443,25,465,110,995,143,993,587,465,2222 -j ACCEPT

# Loop device.

-A INPUT -i lo -j ACCEPT

######## Cacti/Nagios

-A INPUT -s [IP address] -p udp -m udp --dport 161 -j ACCEPT

-A INPUT -s [IP address] -p udp -m udp --sport 161 -j ACCEPT

-A INPUT -s [IP address] -p tcp -m tcp --dport 199 -j ACCEPT

-A INPUT -s [IP address] -p tcp -m tcp --dport 3306 -j ACCEPT

-A INPUT -s [IP address] -p tcp -m tcp --dport 11211 -j ACCEPT

-A INPUT -s [IP address] -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

# Allow PING from remote hosts.

#-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# ejabberd

#-A INPUT -p tcp -m multiport --dport 5222,5223,5280 -j ACCEPT

# http

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

# https

#-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

# Apache

#-A INPUT -p tcp -m tcp --dport 81 -j ACCEPT

# smtp/smtps/smtp(submission)

#-A INPUT -p tcp -m multiport --dport 25,465,587 -j ACCEPT

# pop3/pop3s

#-A INPUT -p tcp -m multiport --dport 110,995 -j ACCEPT

# imap/imaps

#-A INPUT -p tcp -m multiport --dport 143,993 -j ACCEPT

# ldap/ldaps

#-A INPUT -p tcp -m multiport --dport 389,636 -j ACCEPT

# ftp.

#-A INPUT -p tcp -m multiport --dport 21,20 -j ACCEPT

# ssh

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

# Limit the number of incoming tcp connections

# # Interface 0 incoming syn-flood protection
-N syn_flood
-A INPUT -p tcp --syn -j syn_flood
-A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN

-A syn_flood -j DRO

COMMIT

Por ultimo reiniciamos iptables

/etc/init.d/iptables restart