Unix/Linux Go Back    



Need help for iptables rules

Security




Kindly Note - This is a Single User Post by Forum Member Thomas342 Regarding:
Need help for iptables rules.
Please Follow The Primary Link Above to View the Full Discussion.

   
Old Unix and Linux 01-03-2017
Thomas342 Thomas342 is offline
Banned
 
Join Date: Dec 2016
Last Activity: 10 January 2017, 1:16 PM EST
Posts: 4
Thanks: 2
Thanked 0 Times in 0 Posts
OK. thanks

@ jim mcnamara
"So known ports may require a minor tweak"
Could you give me an example please?


@Peasant
What do you mean by "use strong encryption"? Modules (https everywhere,...) in firefox or softwares like VPN,...?

I did three scripts.
Are they good? Which is the best?
This rule:
iptables -X -t filter
Some says that I'm referring to a table called "filter" which doesn't exist. What should I add to make the filter table exist?




BASIC CONNECTION (my laptop is acting neither as a server nor as a router; no DHCP and the Ipv6 is disabled)

#######script one
####################



Code:
iptables -F
iptables -X -t filter
iptables -P INPUT DROP 
iptables -P FORWARD DROP 
iptables -P OUTPUT ACCEPT

#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT

#CONNECTION
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
iptables -A INPUT -p udp --dport xxxx -j ACCEPT

#LOG
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -A FORWARD -j LOG



######SCRIPT 2 ###
#######################

Code:
iptables -F
iptables -X -t filter
iptables -P INPUT -j DROP
iptables -P FORWARD DROP 
iptables -P OUTPUT -j DROP

modprobe ip-conntrack

#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT

#connection
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT

#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
iptables -A INPUT -p udp --dport xxxx -j ACCEPT
##I deleted this line####
##iptables -A INPUT -d 0.0.0.0/0 -p tcp --sport xxxx -m state --state ESTABLISHED -j ACCEPT (I don't know if I must add 0.0.0.0/0 or 192.168.0.0/24)
#########

#LOG
iptables -A INPUT -m limit --limit 7/s -j LOG
iptables -A OUTPUT -m limit --limit 7/s -j LOG
iptables -A FORWARD -m limit --limit 7/s -j LOG


##SCRIPT 3####
###############


Code:
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT

#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
iptables -A INPUT -p udp --dport xxxx -j ACCEPT

#connection
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT

#LOG
iptables -A INPUT -m limit --limit 7/s -j LOG --log-prefix "ICATCH:" --log-level info
iptables -A OUTPUT -m limit --limit 7/s -j LOG --log-prefix "OCATCH:" --log-level info
iptables -A FORWARD -m limit --limit 7/s -j LOG --log-prefix "FCATCH:" --log-level info

THANKS IN ADVANCE