Need help for iptables rules


Login or Register to Reply

 
Thread Tools Search this Thread
# 1  
Need help for iptables rules

Hello,

I did 2 scripts. The second one is, I hope, more secure.
What do you think?


Basic connection (no server, no router, no DHCP and the Ipv6 is disabled)

#######script one
####################

Code:
iptables -F
iptables -X -t filter
iptables -P INPUT DROP 
iptables -P FORWARD DROP 
iptables -P OUTPUT ACCEPT

#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT

#CONNECTION
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
iptables -A INPUT -p udp --dport xxxx -j ACCEPT

#LOG
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -A FORWARD -j LOG



######SCRIPT 2 ### SCRIPT (MORE SECURE) #####
#######################
Code:
iptables -F
iptables -X -t filter
iptables -P INPUT -j DROP
iptables -P FORWARD DROP 
iptables -P OUTPUT -j DROP

modprobe ip-conntrack

#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT

#connection
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT

#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -d 0.0.0.0/0 -p tcp --sport xxxx -m state --state ESTABLISHED -j ACCEPT (I don't know if I must add 0.0.0.0/0 or 192.168.0.0/24)
iptables -A INPUT -m limit --limit 7/s -j LOG

#LOG
iptables -A OUTPUT -m limit --limit 7/s -j LOG
iptables -A FORWARD -m limit --limit 7/s -j LOG


Thanks in advance
# 2  
I see the line for your DSL router or whatever 192... is. What is your goal? You can inadvertantly block your DNS server that way, for example.

Do not forget that you can render the system almost unusable with one single "interesting" line in your script. If you have iptables enabled now and have access - keep a copy of the current setup.
# 3  
Hello,

Thanks for your reply.

Quote:
II see the line for your DSL router or whatever 192... is. What is your goal?
I wanted to make this rule more secure:
Code:
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT

My pc is not acting as a router or a server. If I want to open a port (example: for a vpn), what rule do I need?
Normally the rule is:
Code:
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT

But this rule is not very secure because if I well understood, it allows everyone to get my tcp port xxx.
What can I do to make the rule more secure? Is it possible?

Thanks.
# 4  
tcp ports are dictated by IANA So if you decide to "secure" port 25, nobody will be able to connect using ftp.

This link has 140 pages, just read a few.
Service Name and Transport Protocol Port Number Registry

My point is: you can break all kinds of services without knowing why. And if someone attacks a random port and there is no service behind it to respond, the attacks fails. So no need to block it. This is why attacks go for a lot of known ports. So known ports may require a minor tweak.

Are you trying to harden your box for a reason? A lot of linux boxes have special apps to help you. What OS and version of it do you have?
uname -a will show that, so please post it.

Edit: It is not uncommon to harden a UNIX and break some applications.

Last edited by jim mcnamara; 12-30-2016 at 08:02 PM..
These 2 Users Gave Thanks to jim mcnamara For This Post:
# 5  
Are you trying to harden your box for a reason? A lot of linux boxes have special apps to help you. What OS and version of it do you have?
uname -a will show that, so please post it.


No but you can't be too careful. And sometimes my laptop is connected to free WiFi.
I 've got two laptops: ubuntu and debian
1)Linux 4.4.0-57-generic #78-Ubuntu SMP Fri Dec 9 23:46:51 UTC 2016 i686 i686 i686 GNU/Linux
2)Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/LINUX

My point is: you can break all kinds of services without knowing why. And if someone attacks a random port and there is no service behind it to respond, the attacks fails. So no need to block it. This is why attacks go for a lot of known ports. So known ports may require a minor tweak.
You mean I'do better to change default ports rather than block them?

Thanks.
# 6  
With 'free wifi' most harmfull stuff is not actually related to your firewall (unless you block everything, which makes no sense).

A person who owns that wifi network in one way or another can :

1. Use fake DNS and create fake pages for folks inside that network.
2. Sniff network traffic, especially unencrypted/poorly encrypted traffic and analyze it or/and save it for later (perhaps even years, to brute force it later when he gets a new gpu Smilie )

A lot of other things for an imaginative mind.

Conclusion is if the for anything but casual surfing (no banking, no credentials input), unless you know for a fact that no such things exist in that network.
If using be sure to check the certificates of pages you are leaving credentials at, and use strong encryption.

Hope the helps
Regards
Peasant.
This User Gave Thanks to Peasant For This Post:
# 7  
OK. thanks

@ jim mcnamara
"So known ports may require a minor tweak"
Could you give me an example please?


@Peasant
What do you mean by "use strong encryption"? Modules (https everywhere,...) in firefox or softwares like VPN,...?

I did three scripts.
Are they good? Which is the best?
This rule:
iptables -X -t filter
Some says that I'm referring to a table called "filter" which doesn't exist. What should I add to make the filter table exist?




BASIC CONNECTION (my laptop is acting neither as a server nor as a router; no DHCP and the Ipv6 is disabled)

#######script one
####################


Code:
iptables -F
iptables -X -t filter
iptables -P INPUT DROP 
iptables -P FORWARD DROP 
iptables -P OUTPUT ACCEPT

#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT

#CONNECTION
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
iptables -A INPUT -p udp --dport xxxx -j ACCEPT

#LOG
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -A FORWARD -j LOG



######SCRIPT 2 ###
#######################
Code:
iptables -F
iptables -X -t filter
iptables -P INPUT -j DROP
iptables -P FORWARD DROP 
iptables -P OUTPUT -j DROP

modprobe ip-conntrack

#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT

#connection
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT

#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
iptables -A INPUT -p udp --dport xxxx -j ACCEPT
##I deleted this line####
##iptables -A INPUT -d 0.0.0.0/0 -p tcp --sport xxxx -m state --state ESTABLISHED -j ACCEPT (I don't know if I must add 0.0.0.0/0 or 192.168.0.0/24)
#########

#LOG
iptables -A INPUT -m limit --limit 7/s -j LOG
iptables -A OUTPUT -m limit --limit 7/s -j LOG
iptables -A FORWARD -m limit --limit 7/s -j LOG


##SCRIPT 3####
###############

Code:
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT

#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
iptables -A INPUT -p udp --dport xxxx -j ACCEPT

#connection
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT

#LOG
iptables -A INPUT -m limit --limit 7/s -j LOG --log-prefix "ICATCH:" --log-level info
iptables -A OUTPUT -m limit --limit 7/s -j LOG --log-prefix "OCATCH:" --log-level info
iptables -A FORWARD -m limit --limit 7/s -j LOG --log-prefix "FCATCH:" --log-level info

THANKS IN ADVANCE
Login or Register to Reply

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

More UNIX and Linux Forum Topics You Might Find Helpful
iptables help with rules
steadyonabix
Hi, I've been struggling with this all morning and seem to have a blind spot on what the problem is. I'm trying to use iptables to block traffic on a little cluster of raspberry pi's but to allow ssh and ping traffic within it. The cluster has a firewall server with a wifi card connecting to...... UNIX for Advanced & Expert Users
4
UNIX for Advanced & Expert Users
iptables Rules for my network
Vaibhav.T
Hi Champs i am new in Iptables and trying to write rules for my Samba server.I took some help from internet, created one script and run from rc.local : #Allow loopback iptables -I INPUT -i lo -j ACCEPT # Accept packets from Trusted network iptables -A INPUT -s my-network/subnet -j...... Red Hat
0
Red Hat
iptables rules (ubuntu)
Greenice
Could someone help me with writing rules for iptables? I need a dos attacks protection for a game server. port type udp ports 27015:27030 interface: eth0 Accept all packets from all IPs Chek if IP sent more than 50 packets per second Drop all packets from this IP for 5 minutes I would be...... Ubuntu
0
Ubuntu
Editing rules on iptables
garric
Hello, I was playing around with iptables to setup an isolated system. On a SLES10 system, I ran the below to setup my first draft of rules. I noticed that the rules come into effect immediately and do not require any restart of iptables. iptables -A INPUT -j ACCEPT iptables -A OUTPUT -m...... Cybersecurity
4
Cybersecurity
Iptables rules at boot
solaris_user
Hi I have small home network and I want to block some forums on web When I use this iptables -A INPUT -s forum -j DROP rules is applied but when I restart some of PC rules are not present any more also I tried to save firewall settings iptables-save > /root/dsl.fw but how to...... IP Networking
2
IP Networking