LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-07-2017, 09:46 AM   #1
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Rep: Reputation: 10
Post Write iptables rules for blocking all input connections but allow all output.


Hello.
I'm using Debian 8.9 x64 and I like to write iptables rules that blocking all incoming connection but allow all outgoings. I searched and find some examples but now worked for me.

Thank you.
 
Old 10-07-2017, 10:26 AM   #2
michaelk
Moderator
 
Registered: Aug 2002
Posts: 21,592

Rep: Reputation: 4163Reputation: 4163Reputation: 4163Reputation: 4163Reputation: 4163Reputation: 4163Reputation: 4163Reputation: 4163Reputation: 4163Reputation: 4163Reputation: 4163
Without seeing your rules we can not say why it isn't working.

There are several ways.

Set input policy to drop and output policy to accept.
Add input rule to accept lo
Add input rule to accept established,related
 
Old 10-07-2017, 02:46 PM   #3
3cxmostar
LQ Newbie
 
Registered: Jul 2017
Location: UK
Distribution: CentOS
Posts: 4

Rep: Reputation: Disabled
in atachement you will see basic firewall with 80 & 22 ( #...)
Attached Thumbnails
Click image for larger version

Name:	firewall.PNG
Views:	24
Size:	123.2 KB
ID:	26063  
 
Old 10-08-2017, 06:38 AM   #4
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by michaelk View Post
Without seeing your rules we can not say why it isn't working.

There are several ways.

Set input policy to drop and output policy to accept.
Add input rule to accept lo
Add input rule to accept established,related
I have written the rules that exist in the example.
 
Old 10-08-2017, 07:13 AM   #5
michaelk
Moderator
 
Registered: Aug 2002
Posts: 21,592

Rep: Reputation: 4163Reputation: 4163Reputation: 4163Reputation: 4163Reputation: 4163Reputation: 4163Reputation: 4163Reputation: 4163Reputation: 4163Reputation: 4163Reputation: 4163
That example only allows outgoing ssh.
 
Old 10-09-2017, 07:05 AM   #6
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by michaelk View Post
That example only allows outgoing ssh.
I edited it:
Code:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
 
Old 10-09-2017, 07:15 AM   #7
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,655
Blog Entries: 3

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
I'd make the following changes to that.

Code:
iptables --policy INPUT   DROP;
iptables --policy OUTPUT  DROP;
iptables --policy FORWARD DROP;

iptables -Z;
iptables -F;
iptables -X;

iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request \
    -m limit --limit 1/s -j ACCEPT

iptables -A OUTPUT -p tcp  -j ACCEPT
iptables -A OUTPUT -p udp  -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

iptables -A INPUT   -j REJECT;
iptables -A OUTPUT  -j REJECT;
iptables -A FORWARD -j REJECT;
The policy has to be DROP but to effect REJECT as the default it can be appended last to each chain.

Last edited by Turbocapitalist; 10-09-2017 at 07:18 AM. Reason: ping
 
Old 10-09-2017, 09:49 AM   #8
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by Turbocapitalist View Post
I'd make the following changes to that.

Code:
iptables --policy INPUT   DROP;
iptables --policy OUTPUT  DROP;
iptables --policy FORWARD DROP;

iptables -Z;
iptables -F;
iptables -X;

iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request \
    -m limit --limit 1/s -j ACCEPT

iptables -A OUTPUT -p tcp  -j ACCEPT
iptables -A OUTPUT -p udp  -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

iptables -A INPUT   -j REJECT;
iptables -A OUTPUT  -j REJECT;
iptables -A FORWARD -j REJECT;
The policy has to be DROP but to effect REJECT as the default it can be appended last to each chain.
Can I ask what does below commands mean
Code:
iptables --policy INPUT   DROP;
iptables --policy OUTPUT  DROP;
iptables --policy FORWARD DROP;
You have written them but after it did a flash
Code:
iptables -F;
I removed below line because I guess it open ping and anyone can ping me
Code:
iptables -A INPUT -p icmp --icmp-type echo-request \
    -m limit --limit 1/s -j ACCEPT
 
Old 10-09-2017, 10:02 AM   #9
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,655
Blog Entries: 3

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
Quote:
Originally Posted by hack3rcon View Post
Can I ask what does below commands mean
Code:
iptables --policy INPUT   DROP;
iptables --policy OUTPUT  DROP;
iptables --policy FORWARD DROP;
Yes. But see the manual page for an authoritative answer. "man iptables; man ip6tables;" The --policy sets the default for a chain. However, it is way better to use REJECT instead of DROP, especially for your own network. You want packets that you made to get an immediate answer rather than wasting your time with a time out. So since you have DROP as a policy, REJECT has to be added to the tail end of your chain.

Quote:
Originally Posted by hack3rcon View Post
I removed below line because I guess it open ping and anyone can ping me
Code:
iptables -A INPUT -p icmp --icmp-type echo-request \
    -m limit --limit 1/s -j ACCEPT
Why? Only M$ machines are vulnerable to the Ping-Of-Death (tm) and not your machine. You need to allow it for some basic network maintenance and diagnostics.
 
Old 10-10-2017, 06:08 AM   #10
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by Turbocapitalist View Post
Yes. But see the manual page for an authoritative answer. "man iptables; man ip6tables;" The --policy sets the default for a chain. However, it is way better to use REJECT instead of DROP, especially for your own network. You want packets that you made to get an immediate answer rather than wasting your time with a time out. So since you have DROP as a policy, REJECT has to be added to the tail end of your chain.



Why? Only M$ machines are vulnerable to the Ping-Of-Death (tm) and not your machine. You need to allow it for some basic network maintenance and diagnostics.
Thank you.
 
Old 10-10-2017, 06:33 AM   #11
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,655
Blog Entries: 3

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
No problem. You'll also want to make a parallel set of rules for IPv6. The addressing is a little different though:

Code:
ip6tables -A INPUT -i lo --source ::1/128 --destination ::1/128 -j ACCEPT
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I tell if these iptables rules already exist? iptables -P INPUT ACCEPT iptabl abefroman Linux - Security 1 10-21-2013 03:00 PM
Blocking VM's network temorarily - KVM (setting rules in iptables) sethusubbiah Linux - Software 4 08-16-2011 11:15 PM
iptables rules for blocking everyone but certain ranges? nyheat Linux - Security 6 07-03-2011 04:58 PM
iptables rules for 2 ppp connections linderox Linux - Networking 1 11-07-2007 12:19 PM
iptables rules to ask for password for new connections chingyenccy Linux - Newbie 1 02-25-2005 02:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 11:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration