[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice
Leon Vergottini
leonv at cornerstone.ac.zaWed Jun 29 10:00:16 UTC 2016
- Previous message: [CentOS] .NET on Centos.
- Next message: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Dear Members I hope you are all doing well. I am busy teaching myself iptables and was wondering if I may get some advise. The scenario is the following: 1. Default policy is to block all traffic 2. Allow web traffic and SSH 3. Allow other applications I have come up with the following: #!/bin/bash # RESET CURRENT RULE BASE iptables -F service iptables save # DEFAULT FIREWALL POLICY iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # ------------------------------------------------------ # INPUT CHAIN RULES # ------------------------------------------------------ # MOST COMMON ATTACKS iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # SSH iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # WEB SERVICES iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT # EMAIL iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT # OTHER APPLICATIONS iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT # ------------------------------------------------------ # OUTPUT CHAIN RULES # ------------------------------------------------------ # UDP iptables -A OUTPUT -p udp -j DROP # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS iptables -A OUTPUT -i lo -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # SSH iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # WEB SERVICES iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT # EMAIL iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT # OTHER APPLICATIONS iptables -A INPUT -p tcp -m tcp --dport 11009 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 12009 -j ACCEPT # ------------------------------------------------------ # SAVE & APPLY # ------------------------------------------------------ service iptables save service iptables restart To note: 1. The drop commands at the beginning of each chain is for increase performance. It is my understanding that file gets read from top to bottom and applied accordingly. Therefore, applying them in the beginning will increase the performance by not reading through all the rules only to apply the default policy. 2. I know the above point will not really affect the performance, so it is more of getting into a habit of structuring the rules according to best practice, or at least establishing a pattern for myself. How secure is this setup? Is there any mistakes or things that I need to look out for? Thank you in advance for your feedback. Kind Regards Leon
- Previous message: [CentOS] .NET on Centos.
- Next message: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list