I think I need a firewall for my one server. But thinking about it, I'd like to ask a few questions first.

I only have 3 services out there that people can see running with nmap and nessus. Those being port 22, 80, 443.

All of these ports I want open and out there. Is there any real reason why I would want to put up a firewall anymore?

The only reason I can think of would be to just drop the other packets that will get eventually sent toward my server. Better safe than sorry I guess.

Any other reasons? Is it possible for attackers to launch attacks / exploits when there isn't any other listening ports and services?

May as well ask the final question. How do I write the file to use iptables to drop all but these 3 ports?

Many thanks to any insight you guys can give.

Yes, and have a look at http://iptables-tutorial.frozentux.net/

The short answer is no, if there is no listening service, there is no possibility for exploitation (beyond some sort of exploit in the actual TCP/IP stack).

So if you are running a machine that is only running one service, technically a firewall will not be blocking anything. But there is more to a firewall then simply blocking incoming traffic.

The firewall can also block outgoing traffic, to prevent against any sort of trojan being able to call out from your server. It can also be used to blacklist IPs that have been running port scans against your system, so that you can preemptively block out any possible attacks.

You can even setup your firewall to accept and slowdown packets on all ports. So that if a person attempts a port scan, it will take an extremely long time and only return them with garbage data, saying that all ports are open.

Beyond that, you can also create separate security zones with different rules and policies. That is a bit out of the scope of what you are asking about here though.

So there is a lot you can do with an IPTables firewall beyond just closing off some ports. While they might not be high on your list of priorities, a truly secure system will combine all of these small features into a formidable barrier.

As for writing the firewall rules, you basically have two options. You can research online and write your own IPTables rules and create your own firewall script, or you can use software to create it for you. Software like Firewall Builder, Firestarter, Guarddog, etc.

I've used firewall builder before with pretty good results. But then, I had a lot more services, and more reasons to keep people out.

I just wanted to learn how to do it myself , instead of depending on the software to do it.

This is something of a philosophical question, IMO. Do you need a firewall in this situation? Perhaps not. I don't think running iptables/netfilter would hurt anything, though.

Also...

I have to question the wisdom of having sshd listening to the world on a web server. Even if you're not going to run a firewall, at least restrict access using pubkey authentication (and shut off other authentication forms) and tcp_wrappers.

I agree about the ssh listening to the world. I don't like it myself. If I COULD, I'd like to set firewall rules to accept ssh connections from only certin IP's. But for now, until we get some static IP's for the few users who login, we have to have it wide open.

I do have a very strict password policy, that you have to change passwords every 30 days or your locked out, and they have to be minimum 10 chars long, with the combo of numbers, special chars upper / lower case. I only allow specified users to login thru ssh as well. Am I missing anything else on this one?

The problem with any password authentication (even strong passwords that get changed at regular intervals) is that it's single-factor and can be attacked by brute force a lot more easily.

I really recommend going with pubkey authentication -- even if it means your users will need to carry around their private keys on a usb jump drive because they work from different machines.

A physical key + passphrase makes it a hell of a lot harder to get in. Script kiddies will pass you by and even a determined attacker will have a challenge.

There are lots of tutorials on the web for setting up pubkey authentication. If you're interested, search the forum for tips or (if you'd like) start a thread on that.

Yea, that makes a lot of sense too. I'll look into that next.