Techniques to implement iptables rules

firewall iptables

There are many schools of thought when it comes to system level firewalling.

One conservative approach that is often seen is to use connection tracking to match and explicitly accept incoming RELATED or ESTABLISHED traffic. All other incoming traffic is dropped by default. Explicit rules are added as necessary for various services to accept unmatched incoming traffic.

Outgoing traffic is not filtered in most scenarios.

Example:

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -m conntrack --ctstate INVALID -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT

The above iptables-save snippet shows a setup that drops inbound and forwarding packets by default and accepts outgoing packets by default. Inbound traffic from localhost is explicitly accepted, as are RELATED and ESTABLISHED packets (e.g. responses to an http request), and all traffic to port 22 (SSH).

Related

ejabberd starttls_required in c2s/s2s and disable SSLv3 + unsecure Ciphers
DHCPv6: passing delegated prefix to local RA
How can I mount the SSD drive on Amazon's m3.medium?
How can I set Postfix outgoing port to 465, but keep incoming port to default?
What IP range do I ask the system administrator to open in order for S3 to work?
How to get rid of network broadcasting of port 17500
What is the difference between proxy_cache_ and fastcgi_cache?
w32tm /resync not working instantly
nginx: HSTS on a page with www-authentication
Can I delete files in nginx client_body_temp directory?
Is it safe to execute "sudo reboot" on a Google Compute Engine instance?
How does Linux distribute load on multiple CPU cores