On 06/29/2016 03:00 AM, Leon Vergottini wrote:
#!/bin/bash
# RESET CURRENT RULE BASE iptables -F service iptables save
Why would you save the existing rule set? This script throws it away later, when it runs save again.
# MOST COMMON ATTACKS iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
By putting these rules first, before the "ESTABLISHED,RELATED" rule, you're applying additional processing (CPU time) to the vast majority of your packets for no reason. The "E,R" rule should be first. It won't match the invalid packets you're trying to drop.
# SSH iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
You're not specifying the "new" state in any of your input ACCEPT rules, which means that you're also ACCEPTing invalid packets that don't match the handful of invalid states you DROPped earlier.
iptables -A OUTPUT -p udp -j DROP
What? Why? Do you like really slow DNS? (If you don't care about your own lookups, turn the question around. Do you like putting extra load on your DNS server, impacting service for all of its other users?)
# SSH iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
These are the same INPUT rules you specified earlier. You probably meant the OUTPUT chain, but you didn't allow DNS anywhere, so you've broken the most important service imaginable.
1. The drop commands at the beginning of each chain is for increase performance.
I understand what you're trying to do, but in the real world, this will decrease performance.
How secure is this setup? Is there any mistakes or things that I need to look out for?
It's not great. Use firewalld. Your rules fail to do some things both correctly and quickly that firewalld gets right. You also don't improve on firewalld's rule sets in any way.