IPTables - Do I really need it? [duplicate]
Solution 1:
If I understand your question, you don't have any iptables
rules and is asking if you really need it if the only open ports you have are the ones from active running services, is it correct?
Short answer: yes you should have a working iptables
ruleset on your server, even if the only open ports are the services you want to run there. Also remember to mantain the rules and add/remove services that are added or removed from the server.
Long, exemplified answer: Theoretically you would not need it, but security is about making the attacker's life harder. Suppose that your webserver has a script that with a bug in it, and someone exploits that bug and injects a remote shell server (even a simple netcat
will do). If the server doesn't have a firewall on its front or locally blocking connections, the attacker will be able to connect to that exploited shell. If you add correct and working iptables
rules, the attacker will not be able to connect (because iptables
blocked any traffic not on ports you allowed).
Even if you have a firewall in front of your servers, a basic iptables script is a good practice, as I said, your job is to add layers of security (Defense in depth) so if one layer fails, others will still be up to delay the attack.
Solution 2:
No, you don't need to have iptables
rules.
However, you will want to have them for several reasons:
- Make it harder for people to do a portscanning
- Detect bruteforcing attempts
- Filter against attacks
See my Community Wiki, "IPTables Tips & Tricks". You might find some inspiration there.
Solution 3:
Yes. At the very least, it will open port 20 appropriately so that active FTP will work. Aside from that, it will prevent connections to hostile programs that start a server on your machine.