IPtables locking down website allowing only SSH

I have written my first IPtables rule file to try and protect my server on all ports apart from SSH and the ports needed for the web.

This is what I have come up with:

i=/sbin/iptables

# Flush all rules
$i -F
$i -X

# Setup default filter policy
$i -P INPUT DROP
$i -P OUTPUT DROP
$i -P FORWARD DROP

# Allow unlimited traffic on loopback
$i -A INPUT -i lo -j ACCEPT
$i -A OUTPUT -o lo -j ACCEPT

# Open up ports for nginx
$i -A INPUT -p tcp --dport 443 -j ACCEPT
$i -A INPUT -p tcp --dport 80 -j ACCEPT
$i -A INPUT -p tcp --dport 22 -j ACCEPT

# Make sure nothing comes or goes out of this box
$i -A INPUT -j DROP
$i -A OUTPUT -j DROP

I know there is somewhat of a black art when it comes to IP tables so I was wondering if anyone could pitch in and see if this is the right approach to securing a web server.


Solution 1:

You probably don't want to drop all outgoing connections.

You might want to add a rule early on to allow ESTABLISHED connections and if using protocols like ftp you might add RELATED to the rule too e.g.

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

remember rule order matters - first match wins.

You should probably take a look at this Q&A that we have on securing a web server Tips for Securing a LAMP Server it has lots of great information.

Solution 2:

You are missing -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT somewhere. Additionally, I would not drop all outgoing packets.