How do my Iptables rules look?

[TechBoyJK]

This is for a CentOS+MariaDB10 development database server.

I need to open it to ssh, mysql workbench, webserver access and nfs for backups.

ens33 is the private lan adapter that everything will traverse. ens32 is the public facing adapter which is shutdown except for patching.

I tried to clearly define each rule.

#deny all
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP


#SSH

#allow ssh/22 in from 192.168.200.248/32 (dev02) on ens33
-A INPUT  -i ens33 -p tcp -s 192.168.200.248/32 --dport 22 -j ACCEPT

#allow ssh/22 out to 192.168.200.248/32 (dev02) on ens33 
-A OUTPUT -o ens33 -p tcp -d 192.168.200.248/32 --sport 22 -m state --state ESTABLISHED  -j ACCEPT


#NFS

#allow nfs/111 TCP in from 192.168.200.251/32 (backup01) on ens33
-A INPUT  -i ens33 -p tcp -s 192.168.200.251/32 --dport 111 -m state --state NEW -m tcp  -j ACCEPT

#allow nfs/111 TCP out to 192.168.200.251/32 (backup01) on ens33
-A OUTPUT -o ens33 -p tcp -d 192.168.200.251/32 --sport 111 -m state --state ESTABLISHED -j ACCEPT

#allow nfs/111 UDP in from 192.168.200.251/32 (backup01) on ens33
-A INPUT  -i ens33 -p udp -s 192.168.200.251/32 --dport 111 -m state --state NEW -m udp  -j ACCEPT

#allow nfs/111 UDP out to 192.168.200.251/32 (backup01) on ens33
-A OUTPUT -o ens33 -p udp -d 192.168.200.251/32 --sport 111 -m state --state ESTABLISHED -j ACCEPT


#allow nfs/2049 TCP in from 192.168.200.251/32 (backup01) on ens33
-A INPUT  -i ens33 -p tcp -s 192.168.200.251/32 --dport 2049 -m state --state NEW -m tcp  -j ACCEPT

#allow nfs/2049 TCP out to 192.168.200.251/32 (backup01) on ens33
-A OUTPUT -o ens33 -p tcp -d 192.168.200.251/32 --sport 2049 -m state --state ESTABLISHED -j ACCEPT

#allow nfs/2049 UDP in from 192.168.200.251/32 (backup01) on ens33
-A INPUT  -i ens33 -p udp -s 192.168.200.251/32 --dport 2049 -m state --state NEW -m udp -j ACCEPT

#allow nfs/2049 UDP out to 192.168.200.251/32 (backup01) on ens33
-A OUTPUT -o ens33 -p udp -d 192.168.200.251/32 --sport 2049 -m state --state ESTABLISHED -j ACCEPT


#allow nfs/10000:10006 TCP in from 192.168.200.251/32 (backup01) on ens33
-A INPUT  -i ens33 -p tcp -s 192.168.200.251/32 --dport 10000:10006 -m state --state NEW -m tcp  -j ACCEPT

#allow nfs/10000:10006 TCP out to 192.168.200.251/32 (backup01) on ens33
-A OUTPUT -o ens33 -p tcp -d 192.168.200.251/32 --sport 10000:10006 -m state --state ESTABLISHED -j ACCEPT

#allow nfs/10000:10006 UDP in from 192.168.200.251/32 (backup01) on ens33
-A INPUT  -i ens33 -p udp -s 192.168.200.251/32 --dport 10000:10006 -m state --state NEW -m udp -j ACCEPT

#allow nfs/10000:10006 UDP out to 192.168.200.251/32 (backup01) on ens33
-A OUTPUT -o ens33 -p udp -d 192.168.200.251/32 --sport 10000:10006 -m state --state ESTABLISHED -j ACCEPT



#allow mysql/3306 in from 192.168.200.248/32 (dev02) on ens33
-A INPUT  -i ens33 -p tcp -s 192.168.200.248/32 --dport 3306 -j ACCEPT

#allow mysql/3306 out to 192.168.200.248/32 (dev02) on ens33 
-A OUTPUT -o ens33 -p tcp -d 192.168.200.248/32 --sport 3306 -m state --state ESTABLISHED  -j ACCEPT

#allow mysql/3306 in from 192.168.200.201/32 (www01) on ens33
-A INPUT  -i ens33 -p tcp -s 192.168.200.201/32 --dport 3306 -j ACCEPT

#allow mysql/3306 out to 192.168.200.201/32 (www01) on ens33 
-A OUTPUT -o ens33 -p tcp -d 192.168.200.201/32 --sport 3306 -m state --state ESTABLISHED  -j ACCEPT

#allow mysql/3306 in from 192.168.200.201/32 (www02) on ens33
-A INPUT  -i ens33 -p tcp -s 192.168.200.202/32 --dport 3306 -j ACCEPT

#allow mysql/3306 out to 192.168.200.201/32 (www02) on ens33 
-A OUTPUT -o ens33 -p tcp -d 192.168.200.202/32 --sport 3306 -m state --state ESTABLISHED  -j ACCEPT

 

[Fallen Kell]

You can simplify many of those state rules to a single rule by simply putting a comma between the multiple states:

-A INPUT -i ens33 -p tcp -s 192.168.200.251/32 --dport 2049 -m state --state NEW,ESTABLISHED -m tcp -j ACCEPT

 

[TechBoyJK]

You can simplify many of those state rules to a single rule by simply putting a comma between the multiple states:

-A INPUT -i ens33 -p tcp -s 192.168.200.251/32 --dport 2049 -m state --state NEW,ESTABLISHED -m tcp -j ACCEPT

Well, the 'established' state rules are all for OUTPUT, not input. So I'm not sure how I can consolidate them further. Am I missing something?

Can you give an example from the original rule set I posted?