LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-04-2014, 11:28 PM   #1
rng
Senior Member
 
Registered: Aug 2011
Posts: 1,117

Rep: Reputation: 43
Iptables rules for Internet browsing (http, https) home desktop system?


If one only wants to connect to the internet for browsing (http, https) from a home desktop system, can one use following simple & small set of rules?
Code:
# Generated by iptables-save v1.4.14 on Wed Feb  5 10:54:54 2014
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Wed Feb  5 12:09:45 2014
# Generated by iptables-save v1.4.14 on Wed Feb  5 12:09:45 2014
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Wed Feb  5 10:54:54 2014
# Generated by iptables-save v1.4.14 on Wed Feb  5 10:54:54 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT

Last edited by rng; 02-05-2014 at 12:43 AM.
 
Old 02-05-2014, 01:27 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
You're showing unused tables and you didn't tack on any --ctstate in the filter table OUTPUT chain rules. Is that intentional?
 
Old 02-05-2014, 02:15 AM   #3
rng
Senior Member
 
Registered: Aug 2011
Posts: 1,117

Original Poster
Rep: Reputation: 43
These rules I got from different sources on the net. I want to have simple rules which will permit only web browsing (http and https) and nothing else for a desktop. How should I use the unused tables and should I add a line like following?
Code:
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
I thought the connection should start from browser, so only related incoming should be allowed.

Last edited by rng; 02-05-2014 at 04:47 AM.
 
Old 02-05-2014, 12:37 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by rng View Post
I want to have simple rules
...then you shouldn't have posted in somebody else thread in the first place. So I moved it.


Quote:
Originally Posted by rng View Post
How should I use the unused tables
You don't need them now so just remove them from your rule set file.


Quote:
Originally Posted by rng View Post
and should I add a line like following?
Code:
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
No but
Code:
-A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 --ctstate NEW -j ACCEPT
makes sense the way you use your rule set.
 
Old 02-05-2014, 07:09 PM   #5
rng
Senior Member
 
Registered: Aug 2011
Posts: 1,117

Original Poster
Rep: Reputation: 43
Thanks for creating a separate thread for this.
Quote:
...the unused tables...You don't need them now so just remove them from your rule set file.
I am sorry but I cannot understand this. Only the forward chain in *filter part is unused. Should I remove line number 21?
Code:
1:# Generated by iptables-save v1.4.14 on Wed Feb  5 10:54:54 2014
2:*nat
3::PREROUTING ACCEPT [0:0]
4::INPUT ACCEPT [0:0]
5::OUTPUT ACCEPT [0:0]
6::POSTROUTING ACCEPT [0:0]
7:COMMIT
8:# Completed on Wed Feb  5 12:09:45 2014
9:# Generated by iptables-save v1.4.14 on Wed Feb  5 12:09:45 2014
10:*mangle
11::PREROUTING ACCEPT [0:0]
12::INPUT ACCEPT [0:0]
13::FORWARD DROP [0:0]
14::OUTPUT ACCEPT [0:0]
15::POSTROUTING ACCEPT [0:0]
16:COMMIT
17:# Completed on Wed Feb  5 10:54:54 2014
18:# Generated by iptables-save v1.4.14 on Wed Feb  5 10:54:54 2014
19:*filter
20::INPUT DROP [0:0]
21::FORWARD DROP [0:0]
22::OUTPUT DROP [0:0]
23:-A INPUT -i lo -j ACCEPT
24:-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
25:-A OUTPUT -o lo -j ACCEPT
26:-A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 --ctstate NEW -j ACCEPT
27:COMMIT

Last edited by rng; 02-05-2014 at 09:55 PM.
 
Old 02-06-2014, 01:57 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
You're only using the filter table:
Code:
19:*filter
20::INPUT DROP [0:0]
21::FORWARD DROP [0:0]
22::OUTPUT DROP [0:0]
23:-A INPUT -i lo -j ACCEPT
24:-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
25:-A OUTPUT -o lo -j ACCEPT
26:-A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 --ctstate NEW -j ACCEPT
27:COMMIT
 
Old 02-06-2014, 07:32 PM   #7
rng
Senior Member
 
Registered: Aug 2011
Posts: 1,117

Original Poster
Rep: Reputation: 43
It is generally recommended not to change these:
http://www.iptables.info/en/structure-of-iptables.html
Should I just remove the *nat and *mangle part?

Also, is there any role of DROP commands in following list, or are they redundant as the policy is to drop:
Code:
-A INPUT -d 255.255.255.255/32 -i eth1 -j DROP
-A INPUT -d 192.168.1.255/32 -j DROP
-A INPUT -s 224.0.0.0/8 -j DROP
-A INPUT -d 224.0.0.0/8 -j DROP
-A INPUT -s 255.255.255.255/32 -j DROP
-A INPUT -d 0.0.0.0/32 -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP

-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP

-A FORWARD -j DROP

-A OUTPUT -s 224.0.0.0/8 -j DROP
-A OUTPUT -d 224.0.0.0/8 -j DROP
-A OUTPUT -s 255.255.255.255/32 -j DROP
-A OUTPUT -d 0.0.0.0/32 -j DROP
-A OUTPUT -m conntrack --ctstate INVALID -j DROP

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 --ctstate NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -j DROP
COMMIT
Following sysctl commands are also recommended for security. Should they also be routinely added (in /etc/rc.local file):
Code:
/sbin/sysctl -q -w net.ipv4.conf.all.rp_filter=1
/sbin/sysctl -q -w net.ipv4.conf.all.log_martians=1
/sbin/sysctl -q -w net.ipv4.conf.all.send_redirects=0
/sbin/sysctl -q -w net.ipv4.conf.all.accept_source_route=0
/sbin/sysctl -q -w net.ipv4.conf.all.accept_redirects=0
/sbin/sysctl -q -w net.ipv4.tcp_syncookies=1
/sbin/sysctl -q -w net.ipv4.icmp_echo_ignore_broadcasts=1
/sbin/sysctl -q -w net.ipv4.ip_forward=1
 
Old 02-07-2014, 01:00 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by rng View Post
It is generally recommended not to change these:
http://www.iptables.info/en/structure-of-iptables.html
It is generally recommended not to change what specifically?


Quote:
Originally Posted by rng View Post
Should I just remove the *nat and *mangle part?
Since you are aware of the http://www.iptables.info/en/structure-of-iptables.html I'll return the question: does your machine in the current setup actually filter any traffic through the nat and mangle tables?


Quote:
Originally Posted by rng View Post
Also, is there any role of DROP commands in following list, or are they redundant as the policy is to drop:
Since you are aware of the http://www.iptables.info/en/structure-of-iptables.html I'll return the question: how can you diagnose yourself which rules work regardless of what a chains policy is set to?


Quote:
Originally Posted by rng View Post
Following sysctl commands are also recommended for security.
Please explain for each line what it does at the current setting (considering "0" means disabled and "1" means enabled)?


Quote:
Originally Posted by rng View Post
Should they also be routinely added (in /etc/rc.local file)
If your distribution doesn't offer a standardized way of loading sysctls (/etc/sysctl.conf?) then sure.
 
Old 02-08-2014, 05:00 AM   #9
rng
Senior Member
 
Registered: Aug 2011
Posts: 1,117

Original Poster
Rep: Reputation: 43
The sysctl commands are from this link: http://galinux.myftp.org/galinux-sla....d/rc.FireWall
I find it simpler to use gui applications like firestarter and gufw.
 
Old 02-08-2014, 08:03 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by rng View Post
The sysctl commands are from this link:
That's not what I asked for. Just copying something does not equal understanding the implications. And kind of asking us to spell out the implications for you is counter-productive given the amount of documentation available to you. So read and check if what's listed is what you really want.


Quote:
Originally Posted by rng View Post
I find it simpler to use gui applications like firestarter and gufw.
Then by all means use those. Just don't expect them to allow for more than just basic firewall rules.
 
Old 02-08-2014, 09:03 AM   #11
rng
Senior Member
 
Registered: Aug 2011
Posts: 1,117

Original Poster
Rep: Reputation: 43
My idea is to have a simple list of rules/commands which will make linux system of an average home computer (like mine) more secure, if one wants to only browse the web through internet. I am less inclined to learn all the intricacies of these commands, which I leave to linux experts like you. From what I gather, above rules can be used in the situation that I just mentioned.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] during system startup, iptables rules not loaded from /etc/sysconfig/iptables danyim Linux - Security 3 04-13-2013 02:09 AM
configuring openvpn with iptables rules (internet connection freezes when tun0 is up) BlackHawk Linux - Networking 11 06-22-2011 12:36 AM
transparent browsing https Ammad Linux - General 3 09-25-2009 05:59 PM
iptables rules for an ubuntu gateway (filtering connections to and from Internet) Zingaro2002 Linux - Networking 4 05-06-2007 02:01 AM
Iptables Firewall Config - http and https dales79 Linux - Security 4 01-15-2006 01:35 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration