Default-deny and allow only required ports (e.g. 22, 80, 443). Use a host firewall plus network ACLs if the provider offers them. Document rules and use config management to keep them consistent.
Default-deny and allow list
- Deny by default: Block all inbound (and optionally outbound) except what you explicitly allow.
- Allow only needed ports: Typically SSH (22), HTTP (80), HTTPS (443). Restrict SSH to admin IPs if possible.
- Outbound: Often allow all outbound; restrict if you need to block data exfiltration or limit destinations.
Tools (Linux)
- iptables: Classic netfilter front-end; well documented, available everywhere.
- nftables: Newer replacement for iptables; one framework for IPv4/IPv6.
- firewalld: Higher-level service; zones and services; good for workstations and simple servers.
Best practices
- Document rules: Comment or maintain a doc explaining each allow; avoid "mystery" rules.
- Config management: Use Ansible, Puppet, or similar so firewall state is reproducible and reviewed.
- Provider ACLs: If the host offers network ACLs or security groups, use them in addition to host firewall for defense in depth.
Summary
Default-deny; allow only SSH, HTTP, HTTPS (and any app-specific ports). Use iptables, nftables, or firewalld; document and manage with config management. Combine with provider ACLs when available.
