On 06/29/2016 03:00 AM, Leon Vergottini wrote: > #!/bin/bash > > # RESET CURRENT RULE BASE > iptables -F > service iptables save Why would you save the existing rule set? This script throws it away later, when it runs save again. > # MOST COMMON ATTACKS > iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP > iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP By putting these rules first, before the "ESTABLISHED,RELATED" rule, you're applying additional processing (CPU time) to the vast majority of your packets for no reason. The "E,R" rule should be first. It won't match the invalid packets you're trying to drop. > # SSH > iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT You're not specifying the "new" state in any of your input ACCEPT rules, which means that you're also ACCEPTing invalid packets that don't match the handful of invalid states you DROPped earlier. > iptables -A OUTPUT -p udp -j DROP What? Why? Do you like really slow DNS? (If you don't care about your own lookups, turn the question around. Do you like putting extra load on your DNS server, impacting service for all of its other users?) > # SSH > iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT These are the same INPUT rules you specified earlier. You probably meant the OUTPUT chain, but you didn't allow DNS anywhere, so you've broken the most important service imaginable. > 1. The drop commands at the beginning of each chain is for increase > performance. I understand what you're trying to do, but in the real world, this will decrease performance. > How secure is this setup? Is there any mistakes or things that I need to > look out for? It's not great. Use firewalld. Your rules fail to do some things both correctly and quickly that firewalld gets right. You also don't improve on firewalld's rule sets in any way.