[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice
Gordon Messmer
gordon.messmer at gmail.com
Wed Jun 29 17:49:35 UTC 2016
On 06/29/2016 03:00 AM, Leon Vergottini wrote:
> #!/bin/bash
>
> # RESET CURRENT RULE BASE
> iptables -F
> service iptables save
Why would you save the existing rule set? This script throws it away
later, when it runs save again.
> # MOST COMMON ATTACKS
> iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
> iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
> iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
By putting these rules first, before the "ESTABLISHED,RELATED" rule,
you're applying additional processing (CPU time) to the vast majority of
your packets for no reason. The "E,R" rule should be first. It won't
match the invalid packets you're trying to drop.
> # SSH
> iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
You're not specifying the "new" state in any of your input ACCEPT rules,
which means that you're also ACCEPTing invalid packets that don't match
the handful of invalid states you DROPped earlier.
> iptables -A OUTPUT -p udp -j DROP
What? Why? Do you like really slow DNS? (If you don't care about your
own lookups, turn the question around. Do you like putting extra load
on your DNS server, impacting service for all of its other users?)
> # SSH
> iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
These are the same INPUT rules you specified earlier. You probably
meant the OUTPUT chain, but you didn't allow DNS anywhere, so you've
broken the most important service imaginable.
> 1. The drop commands at the beginning of each chain is for increase
> performance.
I understand what you're trying to do, but in the real world, this will
decrease performance.
> How secure is this setup? Is there any mistakes or things that I need to
> look out for?
It's not great. Use firewalld. Your rules fail to do some things both
correctly and quickly that firewalld gets right. You also don't improve
on firewalld's rule sets in any way.
More information about the CentOS
mailing list