I have a dedicated LINUX server at GoDaddy. It will be used to host web services implementing our product.
I need the software firewall (iptables) set up. This must be done as a script, which will be checked into our archive and reused for various testing and staging servers as well as for the production server. The script will be run using ssh (PuTTY) under the root user id.
The script will have a customization region at the top, where several variables and lists will be modified prior to being run.
-- the port numbers associated with various services, e.g. MySQL, ping, "Simple Control Panel (9999)" etc..
-- WS-client services list: what ports/services (see variables above) need to be available to a web services client. (These clients are our customers.)
-- MySQL client services list: what ports/services need to be available to a system that is accessing a MySQL database on the server.
-- Developer services list: what ports/services need to be available to a system developer (e.g. ssh, ftp, http, MySQL...) For our internal developers, perhaps ALL access is OK from the specified IP addresses, assuming that can't be spoofed. Please advise.
-- Tester services list: what ports/services need to be available to a system tester (e.g. ssh, ftp, http, MySQL...)
-- WS-client list: the domain names / IP addresses of client web servers that should be allowed WS-client services access.
-- MySQL client list: The IP addresses / domain names of other systems allowed to connect to the MySQL database to issue queries.
-- Developer list: the IP addresses of developer workstations which should be allowed developer services access, per developer access service list above.
-- Tester list: the IP addresses of workstations which should be allowed tester access, per tester services list above.
I know that the server will need to be able to do the following things. So, the script should be set up to enable them to work through the firewall:
-- Java software on the system will send out mail to individuals registered on the site.
-- A MySQL database will be running on the site, used programmatically by the server program (written in Java), by .NET code running on machines in the "MySQL client list", and interactively by MySQL browser. MySQL browser access should be limited to developers, testers, and systems in the "MySQL client list".
-- ftp will be used to automatically move incremental backups to remote systems.
-- developers will use ssh to access the system through PuTTY, and also to initiate scripts that are to run on the system. (An example of the latter will be a script, initiated from a developer's workstation, to deploy a new version of the web services code.)
-- I need "Simple Control Panel" access to the system through GoDaddy, which is port 9999, from anywhere.
Other than explicitly allowed access, the system should be cut off from the world.
The script should be "idempotent", i.e. I should be able to run it again and end up with the same valid software firewall on the same system. So, things like creation of needed directories etc should be done carefully, so they work even if the directory already exists.
I should be able to modify the variables/lists at the top of the script, and rerun the script at will. So, for example, if access is currently allowed for a developer's IP address, and I remove that IP address from the ALLOWED_DEVELOPERS list and re-run the script, that IP address should no longer be allowed.
There should be as little manual effort as possible to run/rerun the script. Instructions for running the script must be documented as a comment at the top of the script.
Please make the script correct, readable, and maintainable!
Operating System: Red Hat Fedora Core 7
Control Panel Type: Simple Control Panel