LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Blogs > sag47
User Name
Password

Notices

Rate this Entry

iptables workstation config

Posted 11-17-2013 at 10:03 AM by sag47
Updated 11-17-2013 at 11:07 AM by sag47
Tags iptables, ufw

Here's a decent iptables for a workstation that doesn't normally serve hosted applications. It is meant to just block the network while allowing the user to still use the network unhindered. If services will need to connect to your system then you'll have to open ports in the firewall.

Code:
#load firewall config with iptables-restore < iptables.rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#The following rules required for normal communication
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

#allow incomming ping (optional, can be commented out)
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT

#enable firewall denied connections logging
#keep rules commented unless troubleshooting
#-N LOGGING
#-A LOGGING -p tcp -m limit --limit 2/min -j LOG --log-prefix "iptables DROP: " --log-level 4
#-A LOGGING -j RETURN
#-A INPUT -j LOGGING
#-A FORWARD -j LOGGING

#Required, any traffic that is not allowed will be dropped by these rules
#Never comment these out unless you know what you're doing.
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
This is the iptables equivalent of ufw in Ubuntu being set to "ufw enable". The only exception is that logging is disabled by default in my script but you can uncomment it to enable it.

If you wish to see your current active rules you can use:
Code:
#show rules with resolved names
iptables -L
#do not show resolved names just the raw rules
iptables -nL
Posted in Uncategorized
Views 285 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 03:09 AM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration