I believe the --state NEW
in the corresponding entry is superfluous.
Your rules may be more or less secure but there are some things missing that would allow you internet access from the machine at all. Let me show you what I consider a standard setup (not that this could not be found on a thousand sites):
root@gw:~# cat /etc/iptables.up.rules
# Generated by iptables-save v1.4.14 on Sun Nov 2 15:08:43 2014
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [38:2778]
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-prefix "IPTFW "
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sun Nov 2 15:08:43 2014
For SSH access add a rule just like for port 80 right after the port 80 rule.
For FTP access you obviously need the respective ports open, and don't forget to load the necessary kernel modules for FTP connection tracking (on Debian nf_nat_ftp or nf_conntrack_ftp depending on your requirements).
What exactly I am doing here:
- Allow ping request (ICMP type 8), won't hurt, maybe remove on hosts that should not be visible at first glance
- Then accept traffic on the loopback interface otherwise some stuff local to the server may stop working.
- Allow the ports that you'd like people to access, optionally add an incoming interface using the
-i
parameter in case you have multiple interfaces.
- Allow all replies to connections requested by the machine itself, otherwise you can never generate any outgoing connection, not even DNS or anything from the machine, very probably getting into trouble with some services.
- Finally, before rejecting, you should log what will be rejected. I prefer to reject instead of dropping since that is a clear message. Again (like the reasoning with the ping above), if you'd like to be more "stealth" then just drop, but that's of no real use.
- Don't forget to also set the policy of the INPUT chain to DROP (and make sure you don't lock yourself out while doing that.)