I’m not 100% sure if this is correct in a security sense, but thought I’d post this. For my web/database servers, it’s a pretty basic setup really. Drop all inbound packets not specifically allowed, and allow all outbound unless specifically denied.
Open for comment / feedback. It’s for all intensive purposes, pretty secure in my opinion. The only thing making it more secure would be dropping all outbound packets and specifically allowing traffic outbound, which might be the next thing I will work on.
[root@web ~]# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
BLACKLIST all -- anywhere anywhere state INVALID,NEW,UNTRACKED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere
ACCEPT tcp -- anywhere tcp multiport dports squid,webcache
ACCEPT tcp -- anywhere anywhere tcp multiport dports http,https
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere tcp dpt:nrpe
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain BLACKLIST (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
DROP all -- 124.115.4.0/24 anywhere
DROP all -- 91.201.66.0/24 anywhere