Sunday, April 25, 2010

Basic iptables firewall

Here are basic firewall features:
  • allows lo0 traffic
  • accepts established connections
  • allows all outgoing traffic
  • log everything denied.
Place the following into ~/iptables.rules
*filter

#
# http://wiki.debian.org/iptables
#
# Defaults are to DROP anything sent to firewall or internal
# network, permit anything going out.
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT

# Flush all specific rules
-F INPUT
-F FORWARD
-F OUTPUT

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 
# that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# ----------- BEGIN OF CUSTOM RULES -----------
# Add your custom rules here, e.g. port knocking, ignore netbios, etc.

#
# ------------ END OF CUSTOM RULES ------------

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly 
# allowed policy:
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT
Now you can activate these rules as described here.

No comments :

Post a Comment