How to improve IP tables for web server

Question

this is my curreny /etc/sysconfig/iptables file for a webserver that must allow http, ftp and ssh access.

*filter
:INPUT ACCEPT [31395:4050333]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [30540:7083959]
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 11211 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

I'm just starting to learn on how to configure a linux firewall. From what I've read that setup pretty much covers my server's needs. Still, a few questions remain:

1. Can the security be tighten a little more?

2. Are the :INPUT ACCEPT and :OUTPUT ACCEPT value ranges ok?

Answer 1

To answer the question "Can the security be tighten a little more", let me refer you to the following community wiki:

iptables Tips & Tricks

Answer 2

I believe the --state NEW in the corresponding entry is superfluous.

Your rules may be more or less secure but there are some things missing that would allow you internet access from the machine at all. Let me show you what I consider a standard setup (not that this could not be found on a thousand sites):

root@gw:~# cat /etc/iptables.up.rules
# Generated by iptables-save v1.4.14 on Sun Nov  2 15:08:43 2014
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [38:2778]
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-prefix "IPTFW "
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sun Nov  2 15:08:43 2014

For SSH access add a rule just like for port 80 right after the port 80 rule.

For FTP access you obviously need the respective ports open, and don't forget to load the necessary kernel modules for FTP connection tracking (on Debian nf_nat_ftp or nf_conntrack_ftp depending on your requirements).

What exactly I am doing here:

• Allow ping request (ICMP type 8), won't hurt, maybe remove on hosts that should not be visible at first glance
• Then accept traffic on the loopback interface otherwise some stuff local to the server may stop working.
• Allow the ports that you'd like people to access, optionally add an incoming interface using the -i parameter in case you have multiple interfaces.
• Allow all replies to connections requested by the machine itself, otherwise you can never generate any outgoing connection, not even DNS or anything from the machine, very probably getting into trouble with some services.
• Finally, before rejecting, you should log what will be rejected. I prefer to reject instead of dropping since that is a clear message. Again (like the reasoning with the ping above), if you'd like to be more "stealth" then just drop, but that's of no real use.
• Don't forget to also set the policy of the INPUT chain to DROP (and make sure you don't lock yourself out while doing that.)