IPtables locking down website allowing only SSH
I have written my first IPtables rule file to try and protect my server on all ports apart from SSH and the ports needed for the web.
This is what I have come up with:
i=/sbin/iptables
# Flush all rules
$i -F
$i -X
# Setup default filter policy
$i -P INPUT DROP
$i -P OUTPUT DROP
$i -P FORWARD DROP
# Allow unlimited traffic on loopback
$i -A INPUT -i lo -j ACCEPT
$i -A OUTPUT -o lo -j ACCEPT
# Open up ports for nginx
$i -A INPUT -p tcp --dport 443 -j ACCEPT
$i -A INPUT -p tcp --dport 80 -j ACCEPT
$i -A INPUT -p tcp --dport 22 -j ACCEPT
# Make sure nothing comes or goes out of this box
$i -A INPUT -j DROP
$i -A OUTPUT -j DROP
I know there is somewhat of a black art when it comes to IP tables so I was wondering if anyone could pitch in and see if this is the right approach to securing a web server.
Solution 1:
You probably don't want to drop all outgoing connections.
You might want to add a rule early on to allow ESTABLISHED connections and if using protocols like ftp you might add RELATED to the rule too e.g.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
remember rule order matters - first match wins.
You should probably take a look at this Q&A that we have on securing a web server Tips for Securing a LAMP Server it has lots of great information.
Solution 2:
You are missing -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
somewhere. Additionally, I would not drop all outgoing packets.