Start Terminal by clicking on "Applications", "Accessories" and "Terminal".
Type the command to use the computer as a superuser and type the password:
su
Issue the command in Terminal to make the iptablesRules0001 file:
gedit /etc/init.d/iptablesRules0001
For desktop use
I wrote some rules below following the advice given by iptables users on the Internet. The rules are for my desktop use, not for the server. Copy the script below in the new file and hit Save:
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptablesRules0001
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# X-Start-Before: kdm gdm xdm hal
# X-Stop-After: kdm gdm xdm hal
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: give iptables settings
# Description: you can add input, output and
# forward rules
### END INIT INFO
set -e
# Get lsb functions
. /lib/lsb/init-functions
#------------ iptables rules start --------------------
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -m state --state INVALID -j LOG --log-level 4 --log-prefix 'InvalidDrop '
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m limit --limit 2/min -j LOG --log-level 4 --log-prefix 'In2/m '
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -j ACCEPT
iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop '
iptables -A INPUT -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m limit --limit 6/hour -j LOG --log-level 4 --log-prefix 'OutAllow6/h '
iptables -A OUTPUT -j ACCEPT
#------------ iptables rules end --------------------
### BEGIN INIT INFO
# Provides: iptablesRules0001
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# X-Start-Before: kdm gdm xdm hal
# X-Stop-After: kdm gdm xdm hal
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: give iptables settings
# Description: you can add input, output and
# forward rules
### END INIT INFO
set -e
# Get lsb functions
. /lib/lsb/init-functions
#------------ iptables rules start --------------------
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -m state --state INVALID -j LOG --log-level 4 --log-prefix 'InvalidDrop '
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m limit --limit 2/min -j LOG --log-level 4 --log-prefix 'In2/m '
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -j ACCEPT
iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop '
iptables -A INPUT -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m limit --limit 6/hour -j LOG --log-level 4 --log-prefix 'OutAllow6/h '
iptables -A OUTPUT -j ACCEPT
#------------ iptables rules end --------------------
Issue the command in Terminal to allow running iptablesRules0001:
chmod +x /etc/init.d/iptablesRules0001
Go to /etc/init.d by typing:
cd /etc/init.d
Run the script automatically when Debian Linux starts
iptables do not save the rules automatically. To make iptablesRules0001 run at boot time, type:
update-rc.d iptablesRules0001 start 01 2 3 4 5 . stop 99 0 1 6 .
Restart the computer and the iptables rules should be applied automatically.
Check if the rules are applied
As a superuser using the su command, type the following in Terminal to view the rules:
iptables -L
I should be able to see:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP all -f anywhere anywhere
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG all -- anywhere anywhere state INVALID LOG level warning prefix `InvalidDrop '
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level warning prefix `In2/m '
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:www
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
LOG all -- anywhere anywhere LOG level warning prefix `InDrop '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 6/hour burst 5 LOG level warning prefix `OutAllow6/h '
ACCEPT all -- anywhere anywhere
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP all -f anywhere anywhere
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG all -- anywhere anywhere state INVALID LOG level warning prefix `InvalidDrop '
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level warning prefix `In2/m '
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:www
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
LOG all -- anywhere anywhere LOG level warning prefix `InDrop '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 6/hour burst 5 LOG level warning prefix `OutAllow6/h '
ACCEPT all -- anywhere anywhere
That's all for setting up iptables.
Check potential problems
To view the logged Internet traffic as a superuser, type:
gedit /var/log/messages
Click on "Search" and "Find". To see logged messages of the disallowed traffic, type keywords such as "invaliddrop" and press "Find".
Use the DROP policy
Initally, I used
iptables -P INPUT ACCEPT
, but now I use
iptables -P INPUT DROP
The line above means that, if a rule or rules allow incoming data, they are accepted but if no rule says so, they are not accepted. The default policy should be "DROP".
More information
More information on iptables can be found below:
"Basic iptables howto"
"Logging"
"How to: Linux Iptables block common attacks"
"Simple firewall for Ubuntu using iptables"
RSS
No comments:
Post a Comment