iptables - is this a good ruleset?

is this a good ruleset for a server that has to block anything but http,https,smtp,imap,ssl,openvpn (i xxx´ed ssl and openvpn as i put them on non-standard ports which helped a lot against some idiots attacks)? the two subnets i blocked additionally where bugging me with continous relay trials. i am asking, because i am not sure about teh forwarding rules and those lines i posted at the end. thx!

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  123-204-0-0.dynamic.seed.net.tw/16  anywhere
DROP       all  --  118-167-0-0.dynamic.hinet.net/16  anywhere
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:xxxx
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:xxxxxx
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imap
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed

–> dont know thy webmin is adding this, i never use webmin to configure iptables…

2 Replies

I will preface this by saying that I don't bother with iptables–I just don't have services listening on ports I don't want open. However, after a quick glance at the ports you have open I'd suggest two things completely unrelated to iptables:

1) Configure your SMTP server with TLS and AUTH and have it listen on the submission port (587). There are a lot of ISPs in the world that block outbound connections on port 25. I have yet to encounter one that blocks submission, but just as a safeguard I also have Postfix listen on port 2525 in case I find one someday. This will allow users to send email from anywhere without issues.

2) I noticed you have a service listening on the imap port. I would strongly recommend enabling TLS for imap as well since, without it, everything goes across the wire in the open. This may not seem like a problem, but if your users are like mine they sometimes do email from Internet cafes and places like that. TLS will ensure that a malicious user can't intercept that data.

TLS, obviously, requires a certificate. If you have a small enough number of users you can use a self-signed certificate and distribute it to them. If you have more than a handful of users, there are several places that will supply you a certificate for very little money. I use namecheap.com for my domains and I have heard good things about their certificates.

Anyway, I don't really have anything to add to your iptables rules, but securing services is a pretty good idea.

--James

Mine is a bit restrictive, but I only have 2 services that need external access, the below code is just the rules for dropping bad packets to protect the server

Chain bad_tcp_packets (1 references)
target     prot opt source               destination
LOG        tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix `fp=bad_tcp_packets:1 a=DROP '
DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE LOG level warning prefix `fp=bad_tcp_packets:2 a=DROP '
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG LOG level warning prefix `fp=bad_tcp_packets:3 a=DROP '
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG LOG level warning prefix `fp=bad_tcp_packets:4 a=DROP '
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG LOG level warning prefix `fp=bad_tcp_packets:5 a=DROP '
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
LOG        tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST LOG level warning prefix `fp=bad_tcp_packets:6 a=DROP '
DROP       tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN LOG level warning prefix `fp=bad_tcp_packets:7 a=DROP '
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN
RETURN     tcp  --  anywhere             anywhere

Chain fail2ban-ssh (2 references)
target     prot opt source               destination
RETURN     0    --  anywhere             anywhere

Chain icmp_packets (1 references)
target     prot opt source               destination
LOG        icmp -f  anywhere             anywhere            LOG level warning prefix `fp=icmp_packets:1 a=DROP '
DROP       icmp -f  anywhere             anywhere
DROP       icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
RETURN     icmp --  anywhere             anywhere

Chain tcp_inbound (1 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            tcp dpt:auth reject-with icmp-port-unreachable

the fail2ban-ssh chain was setup by fail2ban, which I highly recommend installing.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct