Re: Better iptables firewall

Personally, lesser is your configuration, better is your security. Here is my config :

iptables -t filter -F
iptables -t filter -X
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -m state --state ! INVALID -j ACCEPT
iptables -t filter -A OUTPUT -m state --state ! INVALID -j ACCEPT

You can also add a commented line to accept icmp, just in case you have problem to connect to network. In this case, comment out the line and relaunch your firewall. When you have solved the connexion problem, re-comment the icmp line and relaunch your firewall
#iptables -t filter -A INPUT -p icmp -j ACCEPT

Hope this helps.
Christophe


Michael Pobega a écrit :
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Currently I'm using iptables as my main firewall, and I'm having no
trouble with it whatsoever. But lately (Since college has started) I've
been connecting to a lot more networks, with more peers connected. I'm
worried about somebody breaking through the security on my laptop and
doing something malicious.

I'm hoping some seasoned Debian sysadmins out there can help me by
advising me on how to better setup iptables...My current setup is:


# Generated by iptables-save v1.3.6 on Mon Jun 18 09:55:18 2007
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [35639:3072343]
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT
- -A INPUT -p icmp -j DROP
#-A INPUT -p tcp -m tcp --dport 5030 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 15000 -j ACCEPT
COMMIT
# Completed on Mon Jun 18 09:55:18 2007

The commented rules are uncommented in my ruleset for home (I only have
those ports forwarded on my home router, so opening them outside is a potential security hazard)

- -- If programmers deserve to be rewarded for creating innovative
programs, by the same token they deserve to be punished if they
restrict the use of these programs. - Richard Stallman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG1ka1g6qL2BGnx4QRAqiAAJ9ga+7x+ShT64BWbZ/59BYTJ+eCgQCfQo5O
ZLlBxl1aLfm3tlaDOO75GU0=
=CYxy
-----END PGP SIGNATURE-----




--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Relevant Pages

  • iptables newbie questions
    ... I have been reading up on iptables for the last week or so and have ... worked out a configuration that I think should work fine but I just ... changed my sshd port and instigated a 3-tries in 60-seconds rule, ... asian IP ranges in *nat table - seperate from the main *filter table. ...
    (comp.os.linux.security)
  • Re: iptables udp and output
    ... Didn't your distro include iptables? ... to compile from source? ... the implied "-t filter". ... where you had to specify what you wanted to block. ...
    (comp.os.linux.security)
  • Re: OT iptables question
    ... > I'm updating a RH ipchains packet filter script from the dim past to ... > I noticed that when I specified the network the host is on, ... > the rule, and iptables seems to take it, and the chain seems to work. ... > filter on the DMZ, and I'd like to do it as rigorously as I can. ...
    (Debian-User)
  • Re: Firewall with Iptables
    ... accept packets in the ESTABLISHED and RELATED states too, ... rule at the beginning of the chain accepting packets in the ESTABLISHED ... iptables -t filter -P FORWARD DROP ...
    (comp.os.linux.networking)
  • Linux iptables masq and port forwarding issue - probs fixed
    ... I was having troubles port forwarding to my main system a few main ... as well as running the MASQ on a private lan. ... $IPTABLES -t filter -P INPUT ACCEPT ...
    (comp.os.linux.security)