iptables adventures

I use iptables to secure my Linux-based internet-facing hobbyist servers. The current iptables, residing at one of these servers (sanyalnet-cloud-vps2.freeddns.org) at /etc/sysconfig/iptables, is as below.

This particular server runs on CentOS 7. The iptables rules provide basic network exploit protection from syn flood, nul, christmas and fragmented packets and adds rate-limited DDOS flood protection for ssh, telnet, smtp, dns, http, pop3, ntp, IMAP, https, smtps, starttls, imap-ssl/tls, pop-ssl/tls, dovecot, sieve, managesieve, DECnet bridge (HECnet), stunnel, syslog etc. ports that are usual for any internet-facing server providing public services. It has the following open ports for the services it provides:

• ssh
• telnet, forwarded to CLOUDY VAX - the hosted DECVAX-11/780 SIMH simulated Digital VAX server running OpenVMS 7.3
• SMTP (authenticated, not public)
• DNS - this DNS server blocks advertising and tracking websites as well as malware
• http - a basic static web-site is hosted on this server; also reachable over the TOR network at fz2koi5kviaph4bl.onion)
• POP (authenticated, not public)
• NTP - this server is an official stratum-2 public NTP server listed ntp.org and is a member of the NTP Pool Project
• IMAP (authenticated, not public)
• https (currently unused)
• STARTTLS / SMTPS (authenticated, not public)
• IMAP SSL/TLS (authenticated, not public)
• POP SSL/TLS (authenticated, not public)
• Dovecot Sieve / ManageSieve
• DECnet bridge connecting QCOCAL (SIMH MicroVAX 3900/OpenVMS 7.3 at home), JUICHI (SIMH DEC PDP-11/24 RSX-11M PLUS at home) and CLOUDY VAX (SIMH VAX-11/780 OpenVMS 7.3) to HECnet the global hobbyist DECnet network
• TOR Proxy service (authenticated, not public)
• stunnel (secure tunnel) service to syslog daemon for encrypted remote logging
• syslog
• TOR relay node (this server is a TOR relay-only node, not a TOR exit node; no TOR traffic is logged at all on this server)