iptable rules, your opinions
 

Hi,

I have these rules for iptables, anything missing or could be improved ?

iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Cheers

First you flush, then you delete, then you "zero" all the chains - why?
Flushing should be enough IMO.

You are restricting yourself a lot by only allowing ports 53,80 and 443 outgoing. You can only surf that way. No Mail. No ftp. Nothing else.

OUTPUT can be fully open IMO.

iptables -A OUTPUT -j ACCEPT

I'd put the INPUT -i lo -j ACCEPT first instead of last (I have...).

Flushing is not enough, it doesn't empty the statistics.
I don't do mail or ftp, that's why I restrict (I use webmail).
Not sure if order of INPUT -i lo is important.
Should I restrict more, like to only eth0 and udp and tcp etc ?

Is more than this even possibe?
Out goes only what you allow - In goes only what you initiated.

yes more is possible.

You could improve the three web surfing rules by adding matches for packets in state NEW to them. That way, packets in state INVALID don't get sent to ACCEPT (as they do with your current rules). Also, you might wanna think about whether or not you really need that RELATED match in your INPUT chain. If you don't care about the ICMP error codes which need it then you wouldn't miss it at all. I'd also suggest adding IP matches to the DNS rule, to make sure only your preferred DNS servers are used. Just my :twocents:, can't think of anything else right now.

actually - it was more of a rhetorical question as the setup was already pretty tight.
The state INVALID thing came to my mind but...

This one works ok, with eth0 specified