Is there a recommended default iptables setup?
It is fantastic that you are interested in iptables.
As you can see, however, there is a bit of a learning curve.
The basics are
All services listen on ports. One analogy would be an apartment complex, your ports are analogous to apartment numbers.
Common ports are
FTP - 21
SSH - 22
Apache - HTTP 80 ; HTTPS 443
You can get a complete list of ports from a google search or /etc/services
This might help as well
https://help.ubuntu.com/10.04/serverguide/C/index.html
From there, enter iptables. As a firewall, iptables is one way of limiting access.
Basically you have 3 broad options.
Public servers, ie apache. Here you will allow all traffic and blacklist bad acting IP (spammers)
Private servers, ie ssh. Here you will deny all traffic and white list authorized connections.
Limit. You may allow ping, but only at a certain rate.
If you are new to iptables, you may wish to start with ufw. ufw is a command line front end to iptables and is easier to learn. The syntax is very similar to iptables so it is easy to transition from ufw to iptables.
See:
https://help.ubuntu.com/community/UFW
https://help.ubuntu.com/community/IptablesHowTo
That information should get you started. If you have a problem, feel free to ask a more specific question.
I also have an introductory page to iptables if you like. I have maintained it over the years with feedback from people new to iptables, hope it helps.
http://bodhizazen.com/Tutorials/iptables
The recommended way (for beginners) is to enable ufw which in turn automatically sets up basic iptables
rules for you:
sudo ufw enable
Basically this will block all unsolicited packets (for the full list of rules that are set up this way see sudo iptables -L
).
To be able to connect to the server, you will have to allow a few ports, for instance
sudo ufw allow 22/tcp
to allow ssh
etc.
I recommend that you also add protection against some scan types and unusual (possibly malicious) tcp settings:
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -m state --state INVALID -j DROP
(Via hideandhack.com.)