As part of my security explorations, I created a super simple firewall configuration that rejects everything other than established connections and explicitly allowed services. Such a configuration is a million times better than no firewall. Here's what I have on one of my servers, for example:
# Accept already established connections iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT # Accept any connection to localhost, since many internal # services on my machine communicate this way iptables -A INPUT -d 127.0.0.1 -j ACCEPT # Accept new SSH connections, HTTP, HTTPS, and some service # running on port 28637. iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 28637 -j ACCEPT # Reject everything not listed so far iptables -A INPUT -j REJECT
After I entered these rules, I ran
iptables-persistent to save them to disk and ensure they are
reestablished whenever the machine restarts.
It took 10 minutes to configure this. It's no big deal.
I have services running on this server that should not be accessible from the internet. I'm pretty sure they're all configured to not be accessible from the internet too. But you know, with this firewall, I don't have to be "pretty sure". With the firewall, I can be sure that nothing except the few things I want are accessible from the internet. It's very relieving.