iptables for dedicated www server (one nic)
 

I'm building up from a clean install and was wondering if the rules listed below are secure for a dedicated web server (only one nic). First time and just wanted to confirm...

// DROP everything by policy
iptables -p INPUT DROP
iptables -p OUTPUT DROP
iptables -p FORWARD DROP

// ACCEPT all internal traffic on loopback
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A INPUT -j ACCEPT -i lo

// ACCEPT HTTP
iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -dport 80 -j ACCEPT

// ACCEPT HTTPS
iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -dport 443 -j ACCEPT

// ACCEPT SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p udp --sport 22 -j ACCEPT

I also see a future need for FTP, but I've read that it is not a good idea. Any input on that subject as well would be appreciated.

Personally:

iptables -P INPUT DROP

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT

But if you like your way better...

Also, just of note, on your drops that you have up front, those need to be cap P, not lower case.

ridertech:
Do you need outbound ssh/http/https?
Otherwise you could skip that as well.

As a replacement for ftp I suggest you use sftp which is included in the ssh suite.
Although this will not work if you're planning on setting up an anonymous ftp server (which is usually a bad on any server running anything but just the ftp daemon)

I've seen a php script called Jabba's PHP Traverser, which gives read access via a web interface, to directories of your choice.
I have no idea if this is a secure solution, but it might be a good idea to check it out if only read access is required...

In addition, you may want to filter your incoming SSH connections to just the sites that you will be connecting from. Right now anyone with a client can make an attempt to login.

Thanks, I started over with a completely open firewall, then added the following...

iptables -P INPUT DROP

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 888.888.888.888 -j ACCEPT

iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -o lo -j ACCEPT

What do I need to add to be able to use apt-get? It currently just hangs when trying to connect.

Also, I've been seeing examples of scripts that setup the firewall upon boot, rather than entering these rules in line by line. Assuming that the syntax is the same, where do I put the file and how does the script get run? What happens if the script is not found for some reason, will the firewall be completely open?

Here's a link to an old iptables I had setup.

I never liked the initial config file for iptables, was always hard to read, so I created this. I have it residing in my /etc/init.d, it's called iptables, that way I didn't have to create any link to actually start it up. Otherwise you'll have to make a link like per normal startup script.

Anyway, if you have any questions about it, let me know.

you can just make a script and have all your lines of iptables in it, and then just add a refernce to your script in your rc.local . Personnaly i like doing it this way, because it gets run last. And you know exactly whats been loaded and when.