So more and more at work I'm working with iptables. I'm having to modify existing rules along with implementing brand new rules for new servers.

I'm wondering what are best practices for setting up new iptables firewall rules, other then say allow ssh and icmp traffic.

thanks

You're welcome to read my blog post on my take of using iptables. In general, your question is too vague to get an effective answer. "Best practices" for iptables are best practices on security and networking. Limit the scope as to who can talk to the system. The rules will vary depending on the type of system it is. Requirements for a system change based on what it does (e.g. PCI compliance). Perhaps, asking a more pointed question will get you a more useful answer.

There is no such thing as best practices for creating iptables rules. A best practice is what the above post states, principle of least privilege.

However, I recommend you two things to bear in mind. First, always follow the same structure on your rules, and second, make use of the states. For example, you may not want new incoming connections to be accepted, only those established and related.

In addition to what sag47 wrote in his web log post about using 'iptables-restore' note you can also easily test a temporary rule set and revert back to a state after a period of time.

First make a backup before making changes to the current rule set:
Now modify your rule set and before you reload it execute this:
which will restore your previously saved rule set in 5 minutes.

*On the subject of testing: the easiest way to test a rule set is to watch counters and intersperse your rule set with "-j LOG" rules before any jumps. That way you can see what hits the filter (or not).


As for the "best practices" I agree: apart from iptables-sepcific best practices (see frozentux) a firewall comprises of more than "plain" blocking ports (source and state filters, rate limiting, ipset buckets to name a few) and therefore should be based on not only what services a machine provides but more than that on what your hardening regime dictates in terms of network policies, access restrictions, auditing rules, etc, etc.


**More detailed questions are welcome, but note that would start with you posting more detailed information.