[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

Wed Jun 29 17:49:35 UTC 2016
Gordon Messmer <gordon.messmer at gmail.com>

On 06/29/2016 03:00 AM, Leon Vergottini wrote:
> #!/bin/bash
> iptables -F
> service iptables save

Why would you save the existing rule set?  This script throws it away 
later, when it runs save again.

> iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
> iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
> iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

By putting these rules first, before the "ESTABLISHED,RELATED" rule, 
you're applying additional processing (CPU time) to the vast majority of 
your packets for no reason.  The "E,R" rule should be first.  It won't 
match the invalid packets you're trying to drop.

> #  SSH
> iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

You're not specifying the "new" state in any of your input ACCEPT rules, 
which means that you're also ACCEPTing invalid packets that don't match 
the handful of invalid states you DROPped earlier.

> iptables -A OUTPUT -p udp -j DROP

What?  Why?  Do you like really slow DNS?  (If you don't care about your 
own lookups, turn the question around.  Do you like putting extra load 
on your DNS server, impacting service for all of its other users?)

> #  SSH
> iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

These are the same INPUT rules you specified earlier.  You probably 
meant the OUTPUT chain, but you didn't allow DNS anywhere, so you've 
broken the most important service imaginable.

>     1. The drop commands at the beginning of each chain is for increase
>     performance.

I understand what you're trying to do, but in the real world, this will 
decrease performance.

> How secure is this setup?  Is there any mistakes or things that I need to
> look out for?

It's not great.  Use firewalld.  Your rules fail to do some things both 
correctly and quickly that firewalld gets right.  You also don't improve 
on firewalld's rule sets in any way.