On 29.06.2016 12:00, Leon Vergottini wrote: > Dear Members > > I hope you are all doing well. > > I am busy teaching myself iptables and was wondering if I may get some > advise. The scenario is the following: > > > 1. Default policy is to block all traffic > 2. Allow web traffic and SSH > 3. Allow other applications > > I have come up with the following: > > #!/bin/bash > > # RESET CURRENT RULE BASE > iptables -F > service iptables save > > # DEFAULT FIREWALL POLICY > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT DROP > > # ------------------------------------------------------ > # INPUT CHAIN RULES > # ------------------------------------------------------ > > # MOST COMMON ATTACKS > iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP > iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP > > # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS > iptables -A INPUT -i lo -j ACCEPT > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > # SSH > iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > # WEB SERVICES > iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT > > # EMAIL > iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT > > # OTHER APPLICATIONS > iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT > > > # ------------------------------------------------------ > # OUTPUT CHAIN RULES > # ------------------------------------------------------ > # UDP > iptables -A OUTPUT -p udp -j DROP > > # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS > iptables -A OUTPUT -i lo -j ACCEPT > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > # SSH > iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > # WEB SERVICES > iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT > > # EMAIL > iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT > > # OTHER APPLICATIONS > iptables -A INPUT -p tcp -m tcp --dport 11009 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 12009 -j ACCEPT > > > > # ------------------------------------------------------ > # SAVE & APPLY > # ------------------------------------------------------ > > > service iptables save > service iptables restart > > To note: > > > 1. The drop commands at the beginning of each chain is for increase > performance. It is my understanding that file gets read from top to bottom > and applied accordingly. Therefore, applying them in the beginning will > increase the performance by not reading through all the rules only to apply > the default policy. > 2. I know the above point will not really affect the performance, so it > is more of getting into a habit of structuring the rules according to best > practice, or at least establishing a pattern for myself. > > > How secure is this setup? Is there any mistakes or things that I need to > look out for? You shouldn't script iptables like this and instead use iptables-save and iptables-restore to activate the rules atomically and with some error checking. Regards, Dennis