[SOLVED] Write iptables rules for blocking all input connections but allow all output.

hack3rcon · 10-07-2017, 10:46 AM

Hello.
I'm using Debian 8.9 x64 and I like to write iptables rules that blocking all incoming connection but allow all outgoings. I searched and find some examples but now worked for me.

Thank you.

michaelk · 10-07-2017, 11:26 AM

Without seeing your rules we can not say why it isn't working.

There are several ways.

Set input policy to drop and output policy to accept.
Add input rule to accept lo
Add input rule to accept established,related

3cxmostar · 10-07-2017, 03:46 PM

in atachement you will see basic firewall with 80 & 22 ( #...)

hack3rcon · 10-08-2017, 07:38 AM

Quote:

Originally Posted by michaelk

Without seeing your rules we can not say why it isn't working.

There are several ways.

Set input policy to drop and output policy to accept.
Add input rule to accept lo
Add input rule to accept established,related

I have written the rules that exist in the example.

michaelk · 10-08-2017, 08:13 AM

That example only allows outgoing ssh.

hack3rcon · 10-09-2017, 08:05 AM

Quote:

Originally Posted by michaelk

That example only allows outgoing ssh.

I edited it:

Code:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Turbocapitalist · 10-09-2017, 08:15 AM

I'd make the following changes to that.

Code:

iptables --policy INPUT   DROP;
iptables --policy OUTPUT  DROP;
iptables --policy FORWARD DROP;

iptables -Z;
iptables -F;
iptables -X;

iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request \
    -m limit --limit 1/s -j ACCEPT

iptables -A OUTPUT -p tcp  -j ACCEPT
iptables -A OUTPUT -p udp  -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

iptables -A INPUT   -j REJECT;
iptables -A OUTPUT  -j REJECT;
iptables -A FORWARD -j REJECT;

The policy has to be DROP but to effect REJECT as the default it can be appended last to each chain.

hack3rcon · 10-09-2017, 10:49 AM

Quote:

Originally Posted by Turbocapitalist

I'd make the following changes to that.

Code:

iptables --policy INPUT   DROP;
iptables --policy OUTPUT  DROP;
iptables --policy FORWARD DROP;

iptables -Z;
iptables -F;
iptables -X;

iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request \
    -m limit --limit 1/s -j ACCEPT

iptables -A OUTPUT -p tcp  -j ACCEPT
iptables -A OUTPUT -p udp  -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

iptables -A INPUT   -j REJECT;
iptables -A OUTPUT  -j REJECT;
iptables -A FORWARD -j REJECT;

The policy has to be DROP but to effect REJECT as the default it can be appended last to each chain.

Can I ask what does below commands mean

Code:

iptables --policy INPUT   DROP;
iptables --policy OUTPUT  DROP;
iptables --policy FORWARD DROP;

You have written them but after it did a flash

Code:

iptables -F;

I removed below line because I guess it open ping and anyone can ping me

Code:

iptables -A INPUT -p icmp --icmp-type echo-request \
    -m limit --limit 1/s -j ACCEPT

Turbocapitalist · 10-09-2017, 11:02 AM

Quote:

Originally Posted by hack3rcon

Can I ask what does below commands mean

Code:

iptables --policy INPUT   DROP;
iptables --policy OUTPUT  DROP;
iptables --policy FORWARD DROP;

Yes. But see the manual page for an authoritative answer. "man iptables; man ip6tables;" The --policy sets the default for a chain. However, it is way better to use REJECT instead of DROP, especially for your own network. You want packets that you made to get an immediate answer rather than wasting your time with a time out. So since you have DROP as a policy, REJECT has to be added to the tail end of your chain.

Quote:

Originally Posted by hack3rcon

I removed below line because I guess it open ping and anyone can ping me

Code:

iptables -A INPUT -p icmp --icmp-type echo-request \
    -m limit --limit 1/s -j ACCEPT

Why? Only M$ machines are vulnerable to the Ping-Of-Death (tm) and not your machine. You need to allow it for some basic network maintenance and diagnostics.

hack3rcon · 10-10-2017, 07:08 AM

Quote:

Originally Posted by Turbocapitalist

Yes. But see the manual page for an authoritative answer. "man iptables; man ip6tables;" The --policy sets the default for a chain. However, it is way better to use REJECT instead of DROP, especially for your own network. You want packets that you made to get an immediate answer rather than wasting your time with a time out. So since you have DROP as a policy, REJECT has to be added to the tail end of your chain.

Why? Only M$ machines are vulnerable to the Ping-Of-Death (tm) and not your machine. You need to allow it for some basic network maintenance and diagnostics.

Thank you.

Turbocapitalist · 10-10-2017, 07:33 AM

No problem. You'll also want to make a parallel set of rules for IPv6. The addressing is a little different though:

Code:

ip6tables -A INPUT -i lo --source ::1/128 --destination ::1/128 -j ACCEPT