Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I don't have much knowledge of Debian Wheezy as I started using it only about two months ago. My knowledge of iptables is elementary and patchy. I'm still reading up on the elements of iptables and it'll take me at least another six months before I've a good grasp of its principles.
In the meanwhile I need help from you guys to guide me to set up a firewall. Yes, I need a working firewall during the interim when I'm learning iptables.
I came across a sample firewall in one of the forums of a Linux distro. The contents of which are as follows:
Code:
#!/bin/bash
local_network="192.168.1.0/24"
wireless_interface="wlp3s0"
virtual_interface="tun0"
#VPN Servers
servers=(
1.1.1.1 #vpn server 1 *** CHANGE TO REAL IP ADDRESS OF SELECTED SERVER
2.2.2.2 #vpn server 2 *** CHANGE TO REAL IP ADDRESS OF SELECTED SERVER
3.3.3.3 #vpn server 3 *** CHANGE TO REAL IP ADDRESS OF SELECTED SERVER
)
iptables-restore < /etc/iptables/empty.rules #create default rules, overwriting any that may be present already
iptables -N TCP #TCP user-defined chain used open up ports in the firewall
iptables -N UDP #UDP user-defined chain used open up ports in the firewall
iptables -P FORWARD DROP #this is a single PC and not a NAT gateway
#set up out rules
iptables -P OUTPUT DROP #block all outgoing traffic by default
iptables -A OUTPUT -d $local_network -o $wireless_interface -j ACCEPT #allow out to local network via wireless
iptables -A OUTPUT -o $virtual_interface -j ACCEPT #allow out to local network via virtual
iptables -A OUTPUT -o lo -j ACCEPT #allow out to loopback
server_count=${#servers[@]} #loop through VPN servers
for (( c = 0; c < $server_count; c++ ))
do
#set up out rules for upd
iptables -A OUTPUT -p udp -d ${servers[c]} --dport 53 -o $wireless_interface -j ACCEPT
iptables -A OUTPUT -p udp -d ${servers[c]} --dport 80 -o $wireless_interface -j ACCEPT
iptables -A OUTPUT -p udp -d ${servers[c]} --dport 443 -o $wireless_interface -j ACCEPT
#set up out rules for tcp
iptables -A OUTPUT -p tcp -d ${servers[c]} --dport 53 -o $wireless_interface -j ACCEPT
iptables -A OUTPUT -p tcp -d ${servers[c]} --dport 80 -o $wireless_interface -j ACCEPT
iptables -A OUTPUT -p tcp -d ${servers[c]} --dport 443 -o $wireless_interface -j ACCEPT
done
#set up in rules
iptables -P INPUT DROP #block all incoming traffic by default
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT #set up rate-limiting block of ping requests
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP #set up rate-limiting block of ping requests
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT #allow in established connections
iptables -A INPUT -i lo -j ACCEPT #allow in to loopback
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP #drop all traffic with an INVALID state match
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP #attach the UDP chain to the INPUT chain to handle all new incoming connections
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP #attach the TCP chain to the INPUT chain to handle all new incoming connections
iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst #handle SYN scans
iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst #handle SYN scans
iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable #handle UDP scans
iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable #handle UDP scans
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable #reject all remaining incoming traffic with icmp protocol unreachable messages
#use new rules
iptables-save > /etc/iptables/iptables.rules #save rules
systemctl start iptables.service && systemctl status iptables.service #check that the rules load correctly
My questions:
(1) Do I need to install iptables-persistent?
(2) My default DHCP gateway is 192.168.100.1. Can I substitute 192.168.100.0 for 192.168.1.0 in local_network?
(3) My network interface is eth0. Should I include it in the above firewall? If yes, where?
If you are using a GUI, why not use something like gufw to configure a basic firewall while you pursue your studies of iptables. It's a very easy-to-use interface. It's in the repos.
You can configure it up, then take a look at the result with
Instead of copying the script from someone else I suggest starting with your own first implementation.
I think the following link might help you with the first steps, while also learning you what you are doing.
If you are using a GUI, why not use something like gufw to configure a basic firewall while you pursue your studies of iptables. It's a very easy-to-use interface. It's in the repos.
You can configure it up, then take a look at the result with
Code:
iptables -L
While fine to use a gui to setup a firewall, I wouldn't suggest using a gui and and try to evaluate it the "manual" way with iptables as it can lead to some exceptionally confusing setups
Perhaps use a gui to get a quickly working firewall and use a separate machine to experiment with iptables.
Since you list a random sample script and ask questions that don't relate to your actual goal of using a firewall I can't help you on how to make a good one.
But, if you are looking for a generic "good" firewall this may serve as a simpler starting point.
Code:
#!/bin/bash
ipt=/sbin/iptables
$ipt -F
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -A INPUT -i lo -j ACCEPT # Permit loopback
$ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Permit established connections
$ipt -A INPUT -p tcp -m tcp --syn --dport 22 -j ACCEPT # SSH
This drops all incoming packets except established or related ones, allows all packets on loopback (comp to talk to itself) and allows "new" or connecting packets to port 22 (for ssh). It accepts all outgoing packets
Obviously, your needs are not mine so I wouldn't consider this a "place and forget" setup.
But, it's a secure setup that is very tiny and doesn't interfere with "normal" usage.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.