Quote:
Can you guys guide me please?
|
You seem to have already gained a moderate understanding of iptables, which is important. To improve upon your understanding I would recommend this excellent tutorial on iptables:
http://bodhizazen.net/Tutorials/iptables
The next thing you would need to focus on is what are you trying to protect against. While you consider this, realize that firewalls in Linux have a slightly different focus than they typically do in other environments, like Windows in particular. The firewall should be an added layer of protection, fortifying the ports that are already closed; not as the primary barrier around an unprotected system.
Blocking inbound traffic is generally pretty easy. Your input rules will do this. I would recommend three modifications for you to consider depending on your network structure and needs or desires:
1 - if iptables is running on the machine 192.168.1.100, you can drop the -s 192.168.1.100 portion to make the rule more generic. Strictly speaking, it doesn't hurt, but with it only traffic being directed to this address will be filtered. Presumably, the upstream switch wouldn't even put traffic on the wire that wasn't directed towards this machine. If the machine is functioning as a router, e.g. in on eth0 and out on eth1, while providing NAT, this may not be practical.
2 -at the end of your rules, you can add -A INPUT -j DROP to remove all other traffic than what has been white listed above. Again, specifying an address may be redundant and would cause broadcast and multicast traffic, which is not directed at a single IP to still be passed which may not be what you want.
3 - consider adding an established, related stanza towards the top of your input block. If you have outbound traffic that originated at your machine, the inbound traffic will return on an unknown, but typically higher port number. The tutorial referenced will discuss this, but for example:
Code:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
.
Blocking outbound traffic can be a little trickier and you need to consider this one carefully. First will the traffic be in response to inbound traffic only or is the machine capable of generating traffic on its own? This is one of the most common needs for firewalls, especially the software variety, on Windows: to keep applications from "phoning home." While this could still happen on Linux, it isn't as prevalent in terms of mal-ware. Your distribution's update notify too, for example, would make use of this function. If your system is a server, responding to requests on standard ports, the outbound response will be on a higher order, random, port number. If you block traffic to all but a particular range, you may break your applications. If you want to restrict access away from some services, e.g. not allow telnet on port 23, you could block those ports in your output rules. The rules works the same way as in the input chain, it is just that you need to be extra careful in thinking about how the closed communication circuit (including return path) will work.