Find the answer to your Linux question:
Results 1 to 2 of 2
Hi everyone! I am trying to configure a "high-security" (as high as I can) firewall for my own machine (that is connected to the internet through a router). I thought ...
  1. 10-09-2007 #1
    dany-r5
    dany-r5 is offline
    Just Joined!
    Join Date
    Oct 2007
    Posts
    1

    Drop policy iptables rules - own machine

    Hi everyone!

    I am trying to configure a "high-security" (as high as I can) firewall for my own machine (that is connected to the internet through a router). I thought the best option is DROP policy but there is not much information on the net about it. I have written the following script that seems to work, but I am not sure about it:

    Code:
    iptables -F
iptables -X
iptables -Z
iptables -t nat -F
#
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#
iptables -A OUTPUT -s $1 -j ACCEPT  ## $1 is my local ip
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    The idea was to allow only the traffic I have stablished. Could be this a good method? Can you give me some suggestions to improve it?

    Thank you in advance.
    Reply With Quote Reply With Quote
  2. 10-10-2007 #2
    bitstreamer
    bitstreamer is offline
    Just Joined!
    Join Date
    Oct 2007
    Location
    Pennsylvania
    Posts
    31

    Here are some tips, but your script looks fine...

    Dany,

    Your script looks fine, I included this iptables config as an example of how to do some more stuff.

    # Generated by iptables-save v1.2.11 on Mon Jul 23 21:08:53 2007
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :RH-Firewall-1-INPUT - [0:0]
    -A INPUT -j RH-Firewall-1-INPUT
    -A FORWARD -j RH-Firewall-1-INPUT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 5900 -j ACCEPT ##Allow VNC Connection from source xxx.xxx.xxx.xxx
    -A RH-Firewall-1-INPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 5901 -j ACCEPT ##Allow VNC Connection from source xxx.xxx.xxxx.xxx
    -A RH-Firewall-1-INPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 80 -j ACCEPT ##Allow http from source xxx.xxx.xxx.xxx
    -A RH-Firewall-1-INPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -j ACCEPT ##Allow SSH connections from source xxx.xxx.xxx.xxx
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable ##If someone attempts to connect to http port Reject with specified message
    -A RH-Firewall-1-INPUT -p tcp -m udp --dport 80 -j REJECT --reject-with icmp-port-unreachable ##If someone attempts to connect to http port Reject with specified message (Just making sure)


    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable ##If someone attempts to connect to SSH Reject with specified message
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 22 -j REJECT --reject-with icmp-port-unreachable ##If someone attempts to connect to SSH Reject with specified message (Just making sure)
    -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT ##I allow ICMP on my local network and I don't forward ICMP to this box so I feel pretty safe.
    -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    COMMIT ##Stateful connection, if I established the connection then let the replies flow
    # Completed on Mon Jul 23 21:08:53 2007


    Bitstreamer
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

...