Simplest Linux firewall rules ever

As newbie in this session..just want to share.

Regardless of what version of Linux you are using and providing you are not using any special type of networking that requires NAT or REDIRECT, you can lock down your system from a firewall perspective in three simple steps.

Default Linux installs have IPTABLES firewall
configurations that looks like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

This policy allows unrestricted traffic FROM and TO your computer. You can change this with three simple IPTABLES commands that will block all inbound traffic to your computer unless your computer initiated the connection.

Be sure to issue the commands in the order shown or you may lock yourself out of your own session.
iptables -A INPUT -p ALL -i lo -j ACCEPT
iptables -A INPUT -p ALL -m state –state ESTABLISHED,RELATED -j
ACCEPT
iptables -P INPUT DROP

The first line allows all traffic on your loopback interface (127.0.0.1) and this is important for allowing your local system to access your local system on all services. The 2nd line allows all traffic back in that your computer initiated such at HTTP, FTP, SMTP, and DNS based traffic, which is important for all your internet connections. That’s it, now all you have to do is save your changes using iptables-save.

Users that are more paranoid or curious to see what type of traffic is arriving inbound to their system but being blocked can be addressed with this IPTABLES command:
iptables -A INPUT -p ALL -j LOG –log-prefix “Blocked Inbound Traffic “

* Note the space after Traffic in the quotes, this is important so that log entries end up with a space between the “Blocked Inbound Traffic” statement and the entries that IPTABLES will log, rendering
them more readable for the user.

So using the entire configuration, this is what your complete IPTABLES command entry will look like:
iptables -A INPUT -p ALL -i lo -j ACCEPT
iptables -A INPUT -p ALL -m state –state ESTABLISHED,RELATED -j
ACCEPT
iptables -A INPUT -p ALL -j LOG –log-prefix “Blocked Inbound
Traffic “
iptables -P INPUT DROP
Feel free to fine tune the logging by using:
iptables -A INPUT -p TCP -j LOG –log-prefix “Blocked Inbound TCP
Traffic “
and
iptables -A INPUT -p UDP -j LOG –log-prefix “Blocked Inbound UDP
Traffic “

* Special note, using these IPTABLES rules will block and log Broadcast and Multicast traffic. If you are using a single system with a single router or firewall, you will not require Broadcast or Multicast
traffic, unless you have a home network with multiple systems. Providing you are a user with a single computer system and a router or firewall, you can feasibly get away with blocking Broadcast and

Multicast traffic and may wish to implement this IPTABLES ruleset:
iptables -A INPUT -p ALL -i lo -j ACCEPT
iptables -A INPUT -p ALL -m state –state ESTABLISHED,RELATED -j
ACCEPT
iptables -A INPUT -p UDP -i eth1 -d 224.0.0.0/8 -j DROP
iptables -A INPUT -p UDP -i eth1 -d 192.168.1.255 -j DROP
iptables -A INPUT -p TCP -j LOG –log-prefix “Blocked Inbound TCP
Traffic “
iptables -A INPUT -p UDP -j LOG –log-prefix “Blocked Inbound UDP
Traffic “
iptables -P INPUT DROP
iptables-save

* The -i eth1 will vary according to the interface of your system. It
might be eth0, eth1, or maybe even wlan0 so adjust accordingly. The -d pertains to the destination address so in the first line using 224.0.0.0 this pertains to Multicast traffic. The next line using -d pertains to the internal network you might be using.

Assuming your internal IP address is 192.168.1.200 and using a netmask of 255.255.255.0 then your
broadcast address will be 192.168.1.255 so adjust your IPTABLES rules in accordance with your environment. So you ask why use the drops in a chain that already has an implicit drop? The reason why we want to drop Multicast and Broadcast is to have this traffic dropped before the
logging rule for IPTABLES so these events do not end up as syslog entries.

The last part one may have questions about are the “/8″ and “/24″. These are mask entries that can also be expressed at “/8″ = 255.0.0.0 and “/24″ = 255.255.255.0.

==== Cheers =======

Advertisements

About msetyadi

I am an IT Strategic
This entry was posted in Expertise. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s