Dear Members
I hope you are all doing well.
I am busy teaching myself iptables and was wondering if I may get some
advise. The scenario is the following:
1. Default policy is to block all traffic
2. Allow web traffic and SSH
3. Allow other applications
I have come up with the following:
#!/bin/bash
# RESET CURRENT RULE BASE
iptables -F
service iptables save
# DEFAULT FIREWALL POLICY
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# ------------------------------------------------------
# INPUT CHAIN RULES
# ------------------------------------------------------
# MOST COMMON ATTACKS
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# LOOPBACK, ESTABLISHED & RELATED CONNECTIONS
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# WEB SERVICES
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
# EMAIL
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
# OTHER APPLICATIONS
iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT
# ------------------------------------------------------
# OUTPUT CHAIN RULES
# ------------------------------------------------------
# UDP
iptables -A OUTPUT -p udp -j DROP
# LOOPBACK, ESTABLISHED & RELATED CONNECTIONS
iptables -A OUTPUT -i lo -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# WEB SERVICES
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
# EMAIL
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
# OTHER APPLICATIONS
iptables -A INPUT -p tcp -m tcp --dport 11009 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 12009 -j ACCEPT
# ------------------------------------------------------
# SAVE & APPLY
# ------------------------------------------------------
service iptables save
service iptables restart
To note:
1. The drop commands at the beginning of each chain is for increase
performance. It is my understanding that file gets read from top to bottom
and applied accordingly. Therefore, applying them in the beginning will
increase the performance by not reading through all the rules only to apply
the default policy.
2. I know the above point will not really affect the performance, so it
is more of getting into a habit of structuring the rules according to best
practice, or at least establishing a pattern for myself.
How secure is this setup? Is there any mistakes or things that I need to
look out for?
Thank you in advance for your feedback.
Kind Regards
Leon
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
