[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

Leon Vergottini leonv at cornerstone.ac.za
Wed Jun 29 10:00:16 UTC 2016


Dear Members

I hope you are all doing well.

I am busy teaching myself iptables and was wondering if I may get some
advise.  The scenario is the following:


   1. Default policy is to block all traffic
   2. Allow web traffic and SSH
   3. Allow other applications

I have come up with the following:

#!/bin/bash

#  RESET CURRENT RULE BASE
iptables -F
service iptables save

#  DEFAULT FIREWALL POLICY
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#  ------------------------------------------------------
#  INPUT CHAIN RULES
#  ------------------------------------------------------

#  MOST COMMON ATTACKS
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

#  LOOPBACK, ESTABLISHED & RELATED CONNECTIONS
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  SSH
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

#  WEB SERVICES
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT

#  EMAIL
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

#  OTHER APPLICATIONS
iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT


#  ------------------------------------------------------
#  OUTPUT CHAIN RULES
#  ------------------------------------------------------
#  UDP
iptables -A OUTPUT -p udp -j DROP

#  LOOPBACK, ESTABLISHED & RELATED CONNECTIONS
iptables -A OUTPUT -i lo -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  SSH
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

#  WEB SERVICES
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT

#  EMAIL
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

#  OTHER APPLICATIONS
iptables -A INPUT -p tcp -m tcp --dport 11009 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 12009 -j ACCEPT



#  ------------------------------------------------------
#  SAVE & APPLY
#  ------------------------------------------------------


service iptables save
service iptables restart

To note:


   1. The drop commands at the beginning of each chain is for increase
   performance.  It is my understanding that file gets read from top to bottom
   and applied accordingly.  Therefore, applying them in the beginning will
   increase the performance by not reading through all the rules only to apply
   the default policy.
   2. I know the above point will not really affect the performance, so it
   is more of getting into a habit of structuring the rules according to best
   practice, or at least establishing a pattern for myself.


How secure is this setup?  Is there any mistakes or things that I need to
look out for?

Thank you in advance for your feedback.

Kind Regards
Leon



More information about the CentOS mailing list