So I have a set of firewall rules ready for a plesk instance on a CentOS6 box.

Can someone explain to me where the various syntax should be placed within a IPtables config. for example like Cisco are Rules read top to bottom with a deny all usually at the end?

Here is my current list -

Is there a better way to order such rules? I'm more concerned about the first part before the specific ports really.

Thanks.

If you can please avoid using web-based management panels. If you do use one then please realize being able to click yes/no buttons does not an admin make. Know the weaknesses of your system, its software and how to avoid or mitigate those.


It may require a bit of reading but there is no iptables tutorial more comprehensive than https://www.frozentux.net/documents/iptables-tutorial/, period. Indeed iptables rules when loaded are parsed first-to-last. (For example 'iptables -t filter -nL --line-numbers' will show the order.)


Couple of things in random order:
- If this is a regular web server then you should not forward traffic so a "-P FORWARD DROP" policy should be enough.
- You already use "--state ESTABLISHED" so also use "-m state --state NEW" to denote new connections.
- Avoid exposing certain ports like MySQL until you need to. When you do, try to limit them to IP addresses or subnets.
- Don't expose Plesk to world and limit it to your management IP (range), period. (Even better would be to use SSH with pubkey auth and tunnel for access.)
- Avoid exposing non-SSL ports like FTP, POP3, IMAP, etc, etc.
- I usually have loopback as the first device (and its allowed always) to get it out of the way. That way you know all other rules apply to all other Ethernet devices unless specified different.
- While having "--state INVALID" in the OUTPUT chain is laudable I'd rather you filter out bogon networks and ports you don't want to see traffic to like IRC, Bittorrent, etc, etc.
- Setting "-m connlimit" on TCP/80 is nice but you forgot TCP/443 and any other services users can access. Note the lower in the stack you can limit potential abuse the less chance it has of "hurting" application layer services.
- Note you can specify multiple ports in one line using "-m multiport --dports 20,21,22" etc, etc. (Yes, you also can combine multiple modules like "-m connlimit something -m multiport something".)

If you've read the frozentux tutorial and dig what I've said re-post your modified rule set.

Thankyou for the comprehensive reply.

I appreciate the control panel advise, however it's handy to have everything under one (web accessible) roof especially as this is only running about 5 personal domains. I definitely need to read up on IPtables without question so will read through the link you supplied when I can.

Can you please elaborate on the first point you mentioned? I understand and have amended my rules to the rest of your advise but am having problems getting the following -

"- If this is a regular web server then you should not forward traffic so a "-P FORWARD DROP" policy should be enough."

Should I remove the following completely -
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i lo -o lo -j ACCEPT

Can you give me an example with my config what you mean?

Thanks again!

Yes.


I could but that wouldn't allow you to learn anything. So let's do this the other way around: you post your revised rule set based on what I suggested and then I'll correct it. Deal?

Edit the /etc/sysconfig/iptables and put your rules there according "man iptables", then restart the service iptables with "service iptables restart" or install a wizard with "yum install system-config-firewall-tui" then execute "system-config-firewall-tui" and put your rules.

NOTE:

If you use the "system-config-firewall-tui" the rules in "/etc/sysconfig/iptables" will be rewrite so make a backup first.