our production systems reside on a pretty secure network architecture, therefore there are no filters defined in iptables.

So does iptables even need to be running or is it just taking up resource for nothing?

iptables use very low resource but if you start it without any configuration is useless because for default everything is open.
For me i think is always preferable use a customize iptables.

May be this approach is good i mean drop all INPUT and FORWARD traffic and accept whatever the port that you need.

I don't know what "pretty secure network" means. Do you "guess" it's "pretty secure"? Is it located behind a router with good ACLs? Or three subnets deep behind two firewalls?


Single point of failure mean a thing? Ask yourself what could help you determine the security posture of your servers when the routers ACLs get (inadvertently) dropped (you know, "maintenance")? What could help you limit traffic to a certain port?

1 members found this post helpful.

good security comes in layers

so that makes me doubt statement one.

No, it doesn't need to be running, in the same way that you don't need security, you don't need to keep your data safe and you don't need to have access to the outside world. Might still be useful, though.

You can usually define simple, low impact, rulesets that give a measure of protection, that while they might not be what you would want in a server facing the big bad internet, offer an additional level of protection and logging that should be seen as desirable.

BTW, even logging spurious traffic can give early warning of things going awry; which would you rather do, know early or wait until the problem is a crisis?

1 members found this post helpful.