iptables rules for stand alone web server

iptables-standalone-web-server

# Generated by iptables-save v1.4.21 on Fri Jan 22 16:03:24 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10:2136]

# allow incoming connection to port 22
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow related & established incoming connection (response) by tcp & icmp (ping...)
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow new & related & established incomming connection to ports 80 & 443 (web-server)
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

# allow related & established incomming connection (response) to ports 80 & 443 (it is necessary to surf web)
-A INPUT -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow related & established incomming connection (response) to port 21 (FTP control)
-A INPUT -p tcp -m tcp --sport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow related & established incomming connection (response) to port 53 (for DNS)
-A INPUT -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow outgoing new connections to port 123 (ntp syncs) & incomming response
$IPT -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT  -p udp --sport 123 -m state --state ESTABLISHED     -j ACCEPT

# allow all traffic on loopback
-A INPUT -i lo -j ACCEPT

#block all traffic in INPUT chaine
-A INPUT -j DROP

#block all traffic in FORWARD chaine
-A FORWARD -j DROP

COMMIT
# Completed on Fri Jan 22 16:03:24 2016