Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Ubuntu Server, Slackware, Red Hat 6.1
Posts: 241
Rep:
What's wrong with my iptables script?
Here's the basic overview of what I want out of my firewall:
1) allow local loopback and allow it to be pinged
2) drop every other ping packet from outside my computer
3) allow apache access
4) drop everything else
And here is what i pieced together with a few LQ searches:
Code:
iptables -F
#drop everything
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#allow http
iptables -A INPUT -p tcp -s 0/0 --dport 80:81 -j ACCEPT
# Allow the loopback interface to be used by local machine
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
# Allow established connections
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
With this configuration i can ping localhost/127.0.0.1 but I can also ping my actual IP address, which I don't want. What can I change to make it match my criteria?
If you are doing it from your computer (the PC with the above mentioned rules), you will be able to ping your IP. Why: Because OUTPUT is set to ACCEPT.
In this case, packets (ping) are coming from lo and leaving by OUTPUT.
However, if you ping from another PC, your PC will drop all ping packets.
Plus, since your OUTPUT is set to ACCEPT, the following line is not needed
Distribution: Ubuntu Server, Slackware, Red Hat 6.1
Posts: 241
Original Poster
Rep:
Hey, thanks for the reply and sorry for my late followup. Anyways, I took out the
Code:
iptables -A OUTPUT -o lo -p all -j ACCEPT
line just like you said, since it was not needed.
I guess it really doesn't matter if I can ping my IP address locally, because my friend can't ping it from his computer, so that's good. (I originally thought my last iptables configuration had it set to where I couldn't ping my IP locally, but apparently not)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.