CentOS iptables config

iptables

#DigitalOcean VPSs usually come with the empty configuration: all traffic is allowed. Just to make sure of this, we can flush the firewall rules - that is, erase them all:
iptables -F

#We can then add a few simple firewall rules to block the most common attacks, to protect our VPS from script-kiddies. We can't really count on iptables alone to protect us from a full-scale DDOS or similar, but we can at least put off the usual network scanning bots that will eventually find our VPS and start looking for security holes to exploit. First, we start with blocking null packets.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

#We told the firewall to take all incoming packets with tcp flags NONE and just DROP them. Null packets are, simply said, recon packets. The attack patterns use these to try and see how we configured the VPS and find out weaknesses. The next pattern to reject is a syn-flood attack.
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

#Syn-flood attack means that the attackers open a new connection, but do not state what they want (ie. SYN, ACK, whatever). They just want to take up our servers' resources. We won't accept such packages. Now we move on to one more common pattern: XMAS packets, also a recon packet.
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

#Allow PING from one ip :
iptables -I INPUT -p icmp --icmp-type 8 -s [ipaddress] -j ACCEPT

#Now we can start adding selected services to our firewall filter. The first such thing is a localhost interface:
iptables -A INPUT -i lo -j ACCEPT

#Now we can allow web server traffic:
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

#We added the two ports (http port 80, and https port 443) to the ACCEPT chain - allowing traffic in on those ports. Now, let's allow users use our SMTP servers:
#iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

#Like stated before, if we can influence our users, we should rather use the secure version, but often we can't dictate the terms and the clients will connect using port 25, which is much more easier to have passwords sniffed from. We now proceed to allow the users read email on their server:
#iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT

#Those two rules will allow POP3 traffic. Again, we could increase security of our email server by just using the secure version of the service. Now we also need to allow IMAP mail protocol:
#iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

#We should also allow SSH traffic, so we can connect to the VPS remotely. The simple way to do it would be with this command:
# ALL traffic
#iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
# single ip
iptables -A INPUT -p tcp -s [ipaddress] -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s [another (local network) ipaddress] -m tcp --dport 22 -j ACCEPT

#We could open more ports on our firewall as needed by changing the port numbers. That way our firewall will allow access only to services we want. Right now, we need to add one more rule that will allow us to use outgoing connections (ie. ping from VPS or run software updates);
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#It will allow any established outgoing connections to receive replies from the VPS on the other side of that connection. When we have it all set up, we will block everything else, and allow all outgoing connections.
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

iptables-save | sudo tee /etc/sysconfig/iptables
service iptables restart