[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

Wed Jun 29 19:51:37 UTC 2016
Dennis Jacobfeuerborn <dennisml at conversis.de>

On 29.06.2016 12:00, Leon Vergottini wrote:
> Dear Members
> 
> I hope you are all doing well.
> 
> I am busy teaching myself iptables and was wondering if I may get some
> advise.  The scenario is the following:
> 
> 
>    1. Default policy is to block all traffic
>    2. Allow web traffic and SSH
>    3. Allow other applications
> 
> I have come up with the following:
> 
> #!/bin/bash
> 
> #  RESET CURRENT RULE BASE
> iptables -F
> service iptables save
> 
> #  DEFAULT FIREWALL POLICY
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
> 
> #  ------------------------------------------------------
> #  INPUT CHAIN RULES
> #  ------------------------------------------------------
> 
> #  MOST COMMON ATTACKS
> iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
> iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
> iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
> 
> #  LOOPBACK, ESTABLISHED & RELATED CONNECTIONS
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> #  SSH
> iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> 
> #  WEB SERVICES
> iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
> 
> #  EMAIL
> iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
> 
> #  OTHER APPLICATIONS
> iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT
> 
> 
> #  ------------------------------------------------------
> #  OUTPUT CHAIN RULES
> #  ------------------------------------------------------
> #  UDP
> iptables -A OUTPUT -p udp -j DROP
> 
> #  LOOPBACK, ESTABLISHED & RELATED CONNECTIONS
> iptables -A OUTPUT -i lo -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> #  SSH
> iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> 
> #  WEB SERVICES
> iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
> 
> #  EMAIL
> iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
> 
> #  OTHER APPLICATIONS
> iptables -A INPUT -p tcp -m tcp --dport 11009 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 12009 -j ACCEPT
> 
> 
> 
> #  ------------------------------------------------------
> #  SAVE & APPLY
> #  ------------------------------------------------------
> 
> 
> service iptables save
> service iptables restart
> 
> To note:
> 
> 
>    1. The drop commands at the beginning of each chain is for increase
>    performance.  It is my understanding that file gets read from top to bottom
>    and applied accordingly.  Therefore, applying them in the beginning will
>    increase the performance by not reading through all the rules only to apply
>    the default policy.
>    2. I know the above point will not really affect the performance, so it
>    is more of getting into a habit of structuring the rules according to best
>    practice, or at least establishing a pattern for myself.
> 
> 
> How secure is this setup?  Is there any mistakes or things that I need to
> look out for?

You shouldn't script iptables like this and instead use iptables-save
and iptables-restore to activate the rules atomically and with some
error checking.

Regards,
  Dennis