I am setting up a server as a secure gateway to permit access to our servers. It is replacing an old BSD box and I want to make sure it is secure. Thus far I have configured iptables as below. Is this secure enough? should I be putting in source and destination IPs for everything I can? Anything I might need and have missed? Anything to secure it further?
PHP Code:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]###
# Allow unlimited traffic on loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
## Permit connections only on port notPort22
-A INPUT -p tcp -s 0/0 --sport 513:65535 --dport notPort22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -d 0/0 --sport notPort22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
## Permit connections only on port 22
-A OUTPUT -p tcp -s ServersIP -d ServerIPRanges --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -d ServersIP -s ServerIPRanges --sport 22 -m state --state ESTABLISHED -j ACCEPT
##Allow DNS Resolution - ISS Specific servers
-A OUTPUT -p udp -s ServersIP --sport 1024:65535 -d PrimaryDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -s PrimaryDNS --sport 53 -d ServersIP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -s ServersIP --sport 1024:65535 -d PrimaryDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -s PrimaryDNS --sport 53 -d ServersIP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -s ServersIP --sport 1024:65535 -d SecondaryDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -s SecondaryDNS --sport 53 -d ServersIP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -s ServersIP --sport 1024:65535 -d SecondaryDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -s SecondaryDNS --sport 53 -d ServersIP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
##Allow DNS Resolution - Any server
#-A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
#-A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A INPUT -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
##Allow yum and any returning connection for yum
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 20 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
##SMTP for mail
-A OUTPUT -p tcp --sport 1024:65535 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --sport 25 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
##rsyslog
-A OUTPUT -p udp --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT
##allow ntp
-A OUTPUT -p udp --dport 123 -j ACCEPT
-A INPUT -p udp --sport 123 -j ACCEPT
## Do not permit incoming or outgoing connections.
## Note: Blocking outgoing connection will stop host being able to send rejection messages.
-A INPUT -j DROP
-A OUTPUT -j DROP
COMMIT