[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice
Dennis Jacobfeuerborn
dennisml at conversis.de
Wed Jun 29 19:51:37 UTC 2016
On 29.06.2016 12:00, Leon Vergottini wrote:
> Dear Members
>
> I hope you are all doing well.
>
> I am busy teaching myself iptables and was wondering if I may get some
> advise. The scenario is the following:
>
>
> 1. Default policy is to block all traffic
> 2. Allow web traffic and SSH
> 3. Allow other applications
>
> I have come up with the following:
>
> #!/bin/bash
>
> # RESET CURRENT RULE BASE
> iptables -F
> service iptables save
>
> # DEFAULT FIREWALL POLICY
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> # ------------------------------------------------------
> # INPUT CHAIN RULES
> # ------------------------------------------------------
>
> # MOST COMMON ATTACKS
> iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
> iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
> iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
>
> # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # SSH
> iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
>
> # WEB SERVICES
> iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
>
> # EMAIL
> iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
>
> # OTHER APPLICATIONS
> iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT
>
>
> # ------------------------------------------------------
> # OUTPUT CHAIN RULES
> # ------------------------------------------------------
> # UDP
> iptables -A OUTPUT -p udp -j DROP
>
> # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS
> iptables -A OUTPUT -i lo -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # SSH
> iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
>
> # WEB SERVICES
> iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
>
> # EMAIL
> iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
>
> # OTHER APPLICATIONS
> iptables -A INPUT -p tcp -m tcp --dport 11009 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 12009 -j ACCEPT
>
>
>
> # ------------------------------------------------------
> # SAVE & APPLY
> # ------------------------------------------------------
>
>
> service iptables save
> service iptables restart
>
> To note:
>
>
> 1. The drop commands at the beginning of each chain is for increase
> performance. It is my understanding that file gets read from top to bottom
> and applied accordingly. Therefore, applying them in the beginning will
> increase the performance by not reading through all the rules only to apply
> the default policy.
> 2. I know the above point will not really affect the performance, so it
> is more of getting into a habit of structuring the rules according to best
> practice, or at least establishing a pattern for myself.
>
>
> How secure is this setup? Is there any mistakes or things that I need to
> look out for?
You shouldn't script iptables like this and instead use iptables-save
and iptables-restore to activate the rules atomically and with some
error checking.
Regards,
Dennis
More information about the CentOS
mailing list