iptables best practices

  • Don’t use iptables to apply your rules one at a time, use iptables-restore to apply a whole ruleset in one action.
  • Set your INPUT and FORWARD policy to DROP.
  • Don’t set your OUTPUT policy to DROP unless you really know what you’re doing.
  • If you’re going to implement a blacklist or whitelist, you should look at using ipsets if that list is going to be more than two or three addresses, and if it might be dynamic.
  • Allow all traffic on lo.
  • You should ALLOW traffic in ctstates of RELATED and ESTABLISHED near the beginning of your rules
  • Don’t use iptables -L
  • DON’T USE IPTABLES -L
  • Use iptables-save instead of iptables -L.
  • Don’t use ifconfig or any of the net-tools.
  • Use iproute2 (ip address, ip link, ip route, ip rule, …)
  • Always read the man pages that are installed on the system you’re trying to use the corresponding software on.