I'm new to iptables, and i've been trying to put together a firewall which purpose is to protect a web server. The below rules are the ones i've put together so far, and i would like to hear if the rules makes sense - and wether i've left out anything essential?
In addition to port 80, i also need to have port 3306 (mysql) and 22 (ssh) open for external connections.
Any feedback is highly appreciated!
#!/bin/sh
# Clear all existing rules.
iptables -F
# ACCEPT connections for loopback network connection, 127.0.0.1.
iptables -A INPUT -i lo -j ACCEPT
# ALLOW established traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# DROP packets that are NEW but does not have the SYN but set.
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# DROP fragmented packets, as there is no way to tell the source and destination ports of such a packet.
iptables -A INPUT -f -j DROP
# DROP packets with all tcp flags set (XMAS packets).
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# DROP packets with no tcp flags set (NULL packets).
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# ALLOW ssh traffic (and prevent against DoS attacks)
iptables -A INPUT -p tcp --dport ssh -m limit --limit 1/s -j ACCEPT
# ALLOW http traffic (and prevent against DoS attacks)
iptables -A INPUT -p tcp --dport http -m limit --limit 5/s -j ACCEPT
# ALLOW mysql traffic (and prevent against DoS attacks)
iptables -A INPUT -p tcp --dport mysql -m limit --limit 25/s -j ACCEPT
# DROP any other traffic.
iptables -A INPUT -j DROP
Try shorewall which provides a reasonable firewall out of the box. Enable access from net for the services you want. There are example rule sets for one, two, and three interfaces. The documentation is good and it is actively maintained.
I expect you will want to limit which addresses can access MySQL which is easily done. You can also secure SSH with port knocking where the port is closed unless you have probed the another port recently.
ETA: 5. Having this kind of rate limits makes DoS attacks really simple. I just need to send 1 SYN packet per second to your server to deny YOU ssh access.
I would think about using something like NARC to do your iptables rules configuration:
http://www.knowplace.org/pages/howtos/firewalling_with_netfilter_iptables/netfilter_automatic_rule_configurator.php
There are some sensible defaults already in place with this package which you should be able to trust.
I use Webmin, it has a good starting ruleset.
http://www.webmin.com/
Filter for outgoing communication from server to internet is also important. Especially SMTP is recommended to allow only for one server.
I manage Mikrotik firewalls, and I'm used to do for example:
And few more. I would recommend to read this: http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling Syntax of Mikrotik is straight forward and it contains good pointing for beginner.
With respect to the XMAS packet.
Different scanners send different flavors of XMAS. Your ALL ALL rule, while it SHOULD match the canonical definition of the phrase XMAS packet, doesn't actually catch them as NMAP sends them.
http://techhelplist.com/index.php/tech-tutorials/43-linux-adventures/120-nmap-linux-iptables-xmas-packets
nmap -sX, which is supposed to be the XMAS scan, won't be caught by ALL ALL.
ALL ALL equates to FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG What NMAP sends equates to FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG