View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Simple iptables setup question
Log in to Ask a Question

Simple iptables setup question

networking

Hey,

I'm inexperienced with network security and iptables, but I'm wondering if this setup would be a secure firewall.

Use iptables to allow ports 80 and whatever port I use ssh on, and block all others.

My email goes through Google Apps, so I shouldn't need to leave that port open.

Does this sound right? Are there any ports I'm forgetting?

Thanks!

2 Replies

@Julian:

I'm inexperienced with network security and iptables
I recommend that you use ufw or Shorewall or something, then. Those will let you exclude SSH on 22 and HTTP on 80, and set up iptables for you so you don't have to learn it all. There's a lot of caveats to getting iptables right – like not forgetting localhost, making sure RELATED/ESTABLISHED comes first for performance, and so forth.

Overall, security-wise, you need to allow ICMP through as well. I've never been a fan of selectively filtering ICMP, so I allow it all. Blocking selective ICMP traffic leads to weird behavior, like path MTU discovery failing (if you're interesting in Googling). Otherwise, yes, your description sounds reasonably secure.

I use the following simple rules on CentOS/Fedora PBX server:

# iptables
iptables -F
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 5059:5061 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -L
iptables-save

I also change some kernel settings for the better:

# kernel settings
sysctl -p
nano /etc/sysctl.conf

#Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 1
# enable ignoring to icmp request
net.ipv4.icmp_echo_ignore_all = 1
# enable ignoring broardcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# enable bad error message protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
#Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

The thing I find with iptables is that there are either really extensive scripts out there or just these simple things. I've read 3 books on the topic - none tell me which is better.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct