Simple Starter Iptables with Security: Centos 7 Network Hardening: How to Protect Your Server from Basic Network Attacks using IPTABLES Firewall | http://supratim-sanyal.blogspot.com/2016/09/centos-7-network-hardening-how-to_19.html

etc sysconfig iptables

# ----------------------------
# /etc/sysconfig/iptables
# Basic iptables initial rules for servers
# Protects from common attacks and opens up service ports to incoming connections
#
# See http://supratim-sanyal.blogspot.com/2016/09/centos-7-network-hardening-how-to_19.html
#
# Supratim Sanyal <supratim at riseup dot net>
# ----------------------------

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#
# ---
# Basic network security - resist IP fragmentation, NULL scan, Christmas Tree and TCP SYN flood attacks - Supratim Sanyal
# See http://supratim-sanyal.blogspot.com/2016/09/centos-7-network-hardening-how-to_19.html
# ---
-I INPUT 1 -f -j DROP
-I INPUT 1 -p tcp --tcp-flags ALL NONE -j DROP
-I INPUT 1 -p tcp --tcp-flags ALL ALL -j DROP
-I INPUT 1 -p tcp ! --syn -m state --state NEW -j DROP
#
# ---
# Accept packets related to established connections (i.e. allow incoming connections to processes that initiated outgoing connections)
# ---
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# ---
# Allow ping response
# ---
-A INPUT -p icmp -j ACCEPT
#
# ---
# Allow all traffic on localhost
# ---
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
#
# ---
# Open up incoming connections to servers on this box
# ---
#
# HECNET
-A INPUT -p udp -m udp --dport 4711 -j ACCEPT
#
# SSH
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#
# Proxy Server
-A INPUT -p tcp -m tcp --dport 12345 -j ACCEPT
#
# SMTP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
#
# ---
# Reject all other incoming and forwarding requests
# ---
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
#
# ---
# The End
# ---
#
COMMIT