Find the answer to your Linux question:
Results 1 to 2 of 2
Hi everyone! I am trying to configure a "high-security" (as high as I can) firewall for my own machine (that is connected to the internet through a router). I thought ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2007
    Posts
    1

    Drop policy iptables rules - own machine


    Hi everyone!

    I am trying to configure a "high-security" (as high as I can) firewall for my own machine (that is connected to the internet through a router). I thought the best option is DROP policy but there is not much information on the net about it. I have written the following script that seems to work, but I am not sure about it:

    Code:
    iptables -F
    iptables -X
    iptables -Z
    iptables -t nat -F
    #
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP
    #
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    #
    iptables -A OUTPUT -s $1 -j ACCEPT  ## $1 is my local ip
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    The idea was to allow only the traffic I have stablished. Could be this a good method? Can you give me some suggestions to improve it?

    Thank you in advance.

  2. #2
    Just Joined!
    Join Date
    Oct 2007
    Location
    Pennsylvania
    Posts
    31

    Here are some tips, but your script looks fine...

    Dany,

    Your script looks fine, I included this iptables config as an example of how to do some more stuff.

    # Generated by iptables-save v1.2.11 on Mon Jul 23 21:08:53 2007
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :RH-Firewall-1-INPUT - [0:0]
    -A INPUT -j RH-Firewall-1-INPUT
    -A FORWARD -j RH-Firewall-1-INPUT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 5900 -j ACCEPT ##Allow VNC Connection from source xxx.xxx.xxx.xxx
    -A RH-Firewall-1-INPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 5901 -j ACCEPT ##Allow VNC Connection from source xxx.xxx.xxxx.xxx
    -A RH-Firewall-1-INPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 80 -j ACCEPT ##Allow http from source xxx.xxx.xxx.xxx
    -A RH-Firewall-1-INPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -j ACCEPT ##Allow SSH connections from source xxx.xxx.xxx.xxx
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable ##If someone attempts to connect to http port Reject with specified message
    -A RH-Firewall-1-INPUT -p tcp -m udp --dport 80 -j REJECT --reject-with icmp-port-unreachable ##If someone attempts to connect to http port Reject with specified message (Just making sure)


    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable ##If someone attempts to connect to SSH Reject with specified message
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 22 -j REJECT --reject-with icmp-port-unreachable ##If someone attempts to connect to SSH Reject with specified message (Just making sure)
    -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT ##I allow ICMP on my local network and I don't forward ICMP to this box so I feel pretty safe.
    -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    COMMIT ##Stateful connection, if I established the connection then let the replies flow
    # Completed on Mon Jul 23 21:08:53 2007


    Bitstreamer

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •