On 06/29/2016 03:00 AM, Leon Vergottini wrote:
#!/bin/bash
# RESET CURRENT RULE BASE
iptables -F
service iptables save
Why would you save the existing rule set? This script throws it away
later, when it runs save again.
# MOST COMMON ATTACKS
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
By putting these rules first, before the "ESTABLISHED,RELATED" rule,
you're applying additional processing (CPU time) to the vast majority of
your packets for no reason. The "E,R" rule should be first. It won't
match the invalid packets you're trying to drop.
# SSH
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
You're not specifying the "new" state in any of your input ACCEPT rules,
which means that you're also ACCEPTing invalid packets that don't match
the handful of invalid states you DROPped earlier.
iptables -A OUTPUT -p udp -j DROP
What? Why? Do you like really slow DNS? (If you don't care about your
own lookups, turn the question around. Do you like putting extra load
on your DNS server, impacting service for all of its other users?)
# SSH
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
These are the same INPUT rules you specified earlier. You probably
meant the OUTPUT chain, but you didn't allow DNS anywhere, so you've
broken the most important service imaginable.
1. The drop commands at the beginning of each chain is for increase
performance.
I understand what you're trying to do, but in the real world, this will
decrease performance.
How secure is this setup? Is there any mistakes or things that I need to
look out for?
It's not great. Use firewalld. Your rules fail to do some things both
correctly and quickly that firewalld gets right. You also don't improve
on firewalld's rule sets in any way.
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
