Iptables whitelist
There is a lot of documentation available for iptables on the internet, but less in the way of creating a secure set of rules. This guide is intended to provide the most secure firewall setup possible--one that drops all traffic except traffic that has been added to a whitelist. If you rely on blacklisting attackers, they can always come from another IP address and your rules get larger and more expensive to traverse. Whitelisting provides a small set of rules that provide only the functionality you need and nothing more.
iptables -F
- Set the default policies on all of the filter table chains to DROP. This means that
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -N LOGSERVER iptables -A INPUT -p tcp -m multiport --dports 22,3306 -m conntrack --ctstate NEW -j LOGSERVER iptables -A LOGSERVER -m limit --limit 5/min -j LOG --log-prefix "SYN to server: " --log-level warning iptables -A LOGSERVER -j RETURN