Monday, January 2, 2012

Use iptables as a firewall on Debian Linux

A firewall can help to prevent Internet attacks on my computer. I use iptables as a firewall on Debian Linux. I follow the steps below:

Start Terminal by clicking on "Applications", "Accessories" and "Terminal".

Type the command to use the computer as a superuser and type the password:

su

Issue the command in Terminal to make the iptablesRules0001 file:

gedit /etc/init.d/iptablesRules0001
 
For desktop use
I wrote some rules below following the advice given by iptables users on the Internet. The rules are for my desktop use, not for the server. Copy the script below in the new file and hit Save:

#!/bin/sh
### BEGIN INIT INFO
# Provides:          iptablesRules0001
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# X-Start-Before:    kdm gdm xdm hal
# X-Stop-After:      kdm gdm xdm hal
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: give iptables settings
# Description:       you can add input, output and
#                    forward rules
### END INIT INFO

set -e

# Get lsb functions
. /lib/lsb/init-functions


#------------       iptables rules start --------------------
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -m state --state INVALID -j LOG --log-level 4 --log-prefix 'InvalidDrop '
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m limit --limit 2/min -j LOG --log-level 4 --log-prefix 'In2/m '
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -j ACCEPT
iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop '
iptables -A INPUT -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m limit --limit 6/hour -j LOG --log-level 4 --log-prefix 'OutAllow6/h '
iptables -A OUTPUT -j ACCEPT

#------------       iptables rules end --------------------

Issue the command in Terminal to allow running iptablesRules0001:

chmod +x /etc/init.d/iptablesRules0001

Go to /etc/init.d by typing:

cd /etc/init.d


Run the script automatically when Debian Linux starts
iptables do not save the rules automatically. To make iptablesRules0001 run at boot time, type:

update-rc.d iptablesRules0001 start 01 2 3 4 5 . stop 99 0 1 6 .

Restart the computer and the iptables rules should be applied automatically.

Check if the rules are applied
As a superuser using the su command, type the following in Terminal to view the rules:

iptables -L


I should be able to see:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP       all  -f  anywhere             anywhere           
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG        all  --  anywhere             anywhere            state INVALID LOG level warning prefix `InvalidDrop '
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere           
LOG        all  --  anywhere             anywhere            limit: avg 2/min burst 5 LOG level warning prefix `In2/m '
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp
LOG        all  --  anywhere             anywhere            LOG level warning prefix `InDrop '
DROP       all  --  anywhere             anywhere           

Chain FORWARD (policy DROP)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere           
LOG        all  --  anywhere             anywhere            limit: avg 6/hour burst 5 LOG level warning prefix `OutAllow6/h '
ACCEPT     all  --  anywhere             anywhere         



That's all for setting up iptables.

Check potential problems
To view the logged Internet traffic as a superuser, type:

gedit /var/log/messages


Click on "Search" and "Find". To see logged messages of the disallowed traffic, type keywords such as "invaliddrop" and press "Find".

Use the DROP policy
Initally, I used

iptables -P INPUT ACCEPT 

, but now I use 

iptables -P INPUT DROP

The line above means that, if a rule or rules allow incoming data, they are accepted but if no rule says so, they are not accepted. The default policy should be "DROP".

More information
More information on iptables can be found below:

"Basic iptables howto"

"Logging"

"How to: Linux Iptables block common attacks"

"Simple firewall for Ubuntu using iptables"



No comments:

RSS