Simple IPTables rule set

  • Simple IPTables rule set

    I've been having good success with the below rule set loaded via iptables-restore. So far (knock on wood) I've had no intrusions. I also run fail2ban on my sites along with using keys and Google Authenticator for SSH. No FTP is enabled, strictly SFTP.

    The YYY.YYY.YYY.YYY is the IP of a remote server that I allowed to connect since I was running memcached on the server this is from.

    The XXX.XXX.XXX.XXX is the IP of the actual server.

    Source Code

    1. # Generated by iptables-save v1.4.14 on Fri Jun 14 01:38:26 2013
    2. *filter
    3. :INPUT DROP [0:0]
    4. :FORWARD DROP [0:0]
    5. :OUTPUT ACCEPT [125:23416]
    6. -A INPUT -p tcp -m tcp --dport 4949 -m state --state NEW,ESTABLISHED -j ACCEPT
    7. -A INPUT -p tcp -s YYY.YYY.YYY.YYY --dport 11281 -j ACCEPT
    8. -A INPUT -p tcp -s --dport 11281 -j ACCEPT
    9. -A INPUT -p tcp --dport 11281 -j REJECT
    10. -A INPUT -d XXX.XXX.XXX.XXX/32
    11. -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
    12. -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
    13. -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
    14. -A INPUT -i lo -j ACCEPT
    15. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    16. -A INPUT -p tcp -m tcp --dport 21 -j DROP
    17. -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    18. -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
    19. -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    20. -A INPUT -p tcp -m tcp --dport 80 -j DROP
    21. -A INPUT -i lo -j ACCEPT
    22. -A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
    23. -A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
    24. -A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
    25. -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
    26. -A INPUT -i eth0 -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
    27. -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
    28. -A INPUT -i eth0 -p udp -m udp --dport 443 -j ACCEPT
    29. -A INPUT -i eth0 -p udp -m udp --dport 520 -j REJECT --reject-with icmp-port-unreachable
    30. -A INPUT -i lo -j ACCEPT
    31. -A FORWARD -o lo -j ACCEPT
    32. -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    33. -A OUTPUT -p tcp -m tcp --dport 4949 -m state --state ESTABLISHED -j ACCEPT
    34. -A OUTPUT -s XXX.XXX.XXX.XXX/32
    35. -A OUTPUT -o lo -j ACCEPT
    36. COMMIT
    37. # Completed on Fri Jun 14 01:38:26 2013
    Display All