I have the following set of iptables rules on a system that only has the following few requirements. Meeting those requirements, I'd like to make the iptables setup as restrictive as possible:
- Accept any traffic from $MY_IP_ADDRESS, which is my workstation's IP address
- Ability for this system to use NTP
- Anyone, not just me, should be able to log into SSH
I'm new to iptables but I read and fiddled around until I came up with the following rules. I'm pretty sure it's not the best setup, and I'm wondering if you can help me improve it. As an example, the last line in the following rules makes the 2nd and 3rd lines redundant. But if I remove it, then other stuff breaks...
iptables -A INPUT -p udp --dport 123 -j ACCEPT # ntp
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # ssh
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s $MY_IP_ADDRESS -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT # ssh
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT # ntp
iptables -A OUTPUT -j ACCEPT # too open...
How can I get away with removing the last line? And how can I improve on this setup?