Ideal Firewall Policy Advice

Hey I have gone through some online resources and have finally come up with a firewall policy , can you take a look at this one and see if this look like a decent one , no hurry

# Generated by iptables-save v1.4.21 on Mon May 30 21:46:58 2016
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 80 --state NEW -j DROP  --update --seconds 60 --hitcount 10 --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 80 --state NEW  --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp -m state ! --tcp-flags FIN,SYN,RST,ACK SYN --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp -m limit --tcp-flags RST RST --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -m recent -j DROP  --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource
-A INPUT -m recent  --remove --name portscan --mask 255.255.255.255 --rsource
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp -s 213.130.115.218/32 --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp -s 213.130.115.218/32 --dport 20000 -j ACCEPT
-A INPUT -p tcp -m tcp -s 213.130.115.218/32 --dport 22090 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m recent -j DROP  --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource
-A OUTPUT -m state --state INVALID -j DROP
COMMIT
# Completed on Mon May 30 21:46:58 2016
# Generated by iptables-save v1.4.21 on Mon May 30 21:46:58 2016
*nat
:PREROUTING ACCEPT [36:2152]
:INPUT ACCEPT [16:968]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [1:76]
COMMIT
# Completed on Mon May 30 21:46:58 2016
# Generated by iptables-save v1.4.21 on Mon May 30 21:46:58 2016
*mangle
:PREROUTING ACCEPT [2057:189936]
:INPUT ACCEPT [2057:189936]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1518:2371756]
:POSTROUTING ACCEPT [1518:2371756]
COMMIT
# Completed on Mon May 30 21:46:58 2016

1.Also are the rules processed in the order from Top to bottom ?

2.If they are processed from top to bottom shouldn't all the deny statements be on the top ?

Status: 
Active

Comments

# Generated by iptables-save v1.4.21 on Mon May 30 21:46:58 2016
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 80 --state NEW -j DROP  --update --seconds 60 --hitcount 10 --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 80 --state NEW  --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp -m state ! --tcp-flags FIN,SYN,RST,ACK SYN --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp -m limit --tcp-flags RST RST --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -m recent -j DROP  --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource
-A INPUT -m recent  --remove --name portscan --mask 255.255.255.255 --rsource
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp -s 213.130.115.218/32 --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp -s 213.130.115.218/32 --dport 20000 -j ACCEPT
-A INPUT -p tcp -m tcp -s 213.130.115.218/32 --dport 22090 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m recent -j DROP  --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource
-A OUTPUT -m state --state INVALID -j DROP
COMMIT
# Completed on Mon May 30 21:46:58 2016
# Generated by iptables-save v1.4.21 on Mon May 30 21:46:58 2016
*nat
:PREROUTING ACCEPT [36:2152]
:INPUT ACCEPT [16:968]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [1:76]
COMMIT
# Completed on Mon May 30 21:46:58 2016
# Generated by iptables-save v1.4.21 on Mon May 30 21:46:58 2016
*mangle
:PREROUTING ACCEPT [2057:189936]
:INPUT ACCEPT [2057:189936]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1518:2371756]
:POSTROUTING ACCEPT [1518:2371756]
COMMIT
# Completed on Mon May 30 21:46:58 2016

Looks like a good start! I'd always suggest making sure you have a way to get at the console when applying a firewall, just in case something doesn't go as expected.

I do see a few things that aren't in there, such as SMTP's Submission port, 587, which can be used for authentication. And I don't see SSH on port 22 or FTP on port 21. Don't forget to add those if you need those services.

As far as the order goes -- yes, they are processed from top to bottom, and the order matters very much. However, it only matters within each chain/table.

That is, the INPUT table is different than the FORWARD and OUTPUT table.

ok great, thanks, man , I have changed our SSH port and, I forgot about the 587 port

but one question though shouldn't this -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT come below the deny statements ?

That rule you mentioned is in the correct location, it refers to traffic that has already has been those rules previously and shouldn't be at the end.