LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-22-2012, 08:59 PM   #1
GrepAwkSed
LQ Newbie
 
Registered: Mar 2012
Posts: 23

Rep: Reputation: Disabled
Basic iptables help


Hi,

I'm not familiar with iptables. So I just grap pieces off the internet and youtube. Anyway, I don't have any running services on my machine so I didn't add them to the firewall.

I put this firewall script with iptables. Is this good enough for my needs as I am using linux as a desktop.

Code:
#!/bin/bash

/sbin/iptables -F
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P INPUT DROP

# Accept local services to my local machine
/sbin/iptables -A INPUT -j ACCEPT -i lo

# Accept connections I started i.e internet surfing
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop all incoming packets
/sbin/iptables -A INPUT -i eth0 -j DROP -p tcp

exit 0
PS: Will the last rule drop packets from spoof IP addresses, fragment packets and etc or do I need to add those?

Thanks for any replies

Last edited by GrepAwkSed; 03-22-2012 at 09:00 PM.
 
Old 03-22-2012, 09:14 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,680

Rep: Reputation: Disabled
The last rule is actually redundant, as you have set the policy on the INPUT chain to DROP. Any traffic not matching a specific rule is handled by the chain policy.

As for spoofed addresses and fragments, you're actually not letting anything in except this:

Code:
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Unless a packet belongs to an existing connection (ESTABLISHED) or is a secondary connection (RELATED) allowed by a connection tracking ALG (like an FTP data connection), it will be dropped.
 
Old 03-22-2012, 09:31 PM   #3
GrepAwkSed
LQ Newbie
 
Registered: Mar 2012
Posts: 23

Original Poster
Rep: Reputation: Disabled
@ Ser Olmy

Well, like I said I'm not an iptables expert

Thanks for the prompt reply. I will remove the last rule since it is redundant as you said.
 
Old 03-23-2012, 05:54 AM   #4
Lexus45
Member
 
Registered: Jan 2010
Distribution: Debian, Centos, Ubuntu, Slackware
Posts: 361
Blog Entries: 3

Rep: Reputation: 48
Put this into a script, make it executable (chmod +x) and put it somewhere to the autostart in your system. This is practically the same what you have, but also being able to accept start/stop/restart commands (e.g. /path/to/this/script restart).
Code:
#!/bin/bash
firewall_start() {
    iptables -F
    iptables -t nat -F
    iptables -t mangle -F

# Setting default policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP


# iptables rules go here
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT


}

firewall_stop() {
    iptables -F
    iptables -t nat -F
}
firewall_restart() {
    firewall_stop
    sleep 1
    firewall_start
}

case "$1" in
'start')
  firewall_start
  ;;
'stop')
  firewall_stop
  ;;
'restart')
  firewall_restart
  ;;
*)
echo "usage $0 start|stop|restart"
esac

Last edited by Lexus45; 03-23-2012 at 05:57 AM.
 
Old 03-23-2012, 10:25 AM   #5
GrepAwkSed
LQ Newbie
 
Registered: Mar 2012
Posts: 23

Original Poster
Rep: Reputation: Disabled
Thanks for the script
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
need basic iptables solutions mfoley Linux - Security 29 06-16-2010 06:42 PM
Basic usage of iptables Nerox Linux - Networking 5 04-30-2007 02:44 PM
Basic iptables help manueljose Linux - Security 3 01-03-2006 09:16 AM
iptables basic question Fordor Linux - Networking 5 10-12-2005 05:30 PM
Basic iptables howto??? PeaceTank Linux - Security 2 03-23-2005 01:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration