iptables workstation config
Here's a decent iptables for a workstation that doesn't normally serve hosted applications. It is meant to just block the network while allowing the user to still use the network unhindered. If services will need to connect to your system then you'll have to open ports in the firewall.
This is the iptables equivalent of ufw in Ubuntu being set to "ufw enable". The only exception is that logging is disabled by default in my script but you can uncomment it to enable it.
If you wish to see your current active rules you can use:
Code:
#load firewall config with iptables-restore < iptables.rules *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] #The following rules required for normal communication -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT #allow incomming ping (optional, can be commented out) -A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT #enable firewall denied connections logging #keep rules commented unless troubleshooting #-N LOGGING #-A LOGGING -p tcp -m limit --limit 2/min -j LOG --log-prefix "iptables DROP: " --log-level 4 #-A LOGGING -j RETURN #-A INPUT -j LOGGING #-A FORWARD -j LOGGING #Required, any traffic that is not allowed will be dropped by these rules #Never comment these out unless you know what you're doing. -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
If you wish to see your current active rules you can use:
Code:
#show rules with resolved names iptables -L #do not show resolved names just the raw rules iptables -nL
Total Comments 0