default iptables rules

Peter Garrett peter.garrett at optusnet.com.au
Fri Sep 14 05:03:27 UTC 2007 

On Thu, 13 Sep 2007 20:56:23 -0400
"Jimmy Wu" <jimmywu013 at gmail.com> wrote:

> Hi all,
> 
> I am relatively new to both Ubuntu and Linux, and I'm trying to figure out
> how to secure my computer with a firewall.
> My previous attempt with Firestarter was rather miserable, since it screwed
> up my home network.
> I've reinstalled my system, and this time I want to just use iptables,
> without firestarter.
> 
> Situation:
> I am a pretty average user, and need little more than http, https, and
> possibly ftp.  I probably won't need to have ssh open or anything else like
> that.  My computer is connected to a home network via an ethernet router,
> along with two other computers running Windows XP.  I don't want to lose
> connection to those -ie I want to be able to view shares.
> I've read a bit about iptables, and know how to add rules.  The only thing
> is, I'm not sure what rules to add.

Like most things in GNU/Linux, there are multiple ways to set up iptables.
Since your network is fairly simple ( so is mine - currently only two
machines!) , I would suggest something similar to my own method.

> So, my question is, does anyone have a script or a set of rules for a setup
> similar to mine that they'd be willing to share?

I have found the simplest way to set up iptables is to start with a
default "DROP" policy for INPUT

So the start of my script looks like this:

#!/bin/bash

# This can live anywhere - I'm using /etc/iptables.up
# Needs to run as root of course
#First clean up in case we have stale policies like default DROP

iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

#Now set up our policies and rules
# Policy (only using INPUT here)

iptables -P INPUT DROP

# Now allow loopback and existing connections
# Lets the machine talk to itself ;-)
iptables -A INPUT -i lo -j ACCEPT  

# We don't want to lock out useful connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow the local network - the numbers here will depend on your network
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT 

# Allow freenode to talk to gidentd
iptables -A INPUT -s chat.freenode.net -p tcp --dport 113 -j ACCEPT

# Example if you have a web server running on port 80
iptables -A INPUT  -p tcp --dport 80 -j ACCEPT

# Being specific about who we allow to use ssh ( this is one line - ignore wrap)
iptables -A INPUT -m state --state NEW -s trusted.goodguys.com  -p
tcp --dport 22 -j ACCEPT

# Some logging - again, this is one line at the end
iptables -A INPUT  -m limit --limit 1/sec -j LOG --log-prefix "iptables
DENIED: " --log-level 7

the simplicity of a default INPUT policy of DROP is that anything not
allowed is denied - anything that makes it through the list will just fall
on the floor silently, except that it will be logged in /var/log/syslog*
as "iptables DENIED:".

 You get the idea - you can add other ports as needed on
the same model - of course forwarding them from a router as needed. Setting
OUTPUT policy as "DROP" gets very complicated quickly - for a small home
network I think ALLOW is OK for OUTPUT, assuming that you aren't in the
habit of installing random apps from dodgy places that might include
trojans :) I can't comment on your Windows boxes though ...

Your FORWARD policy will vary according to needs.

> Also, if I'm not mistaken, iptables rules added at the command line are not
> saved by default. 
 
Correct - not saved across boots.

> I seem to remember to ways of saving them: (please
> correct any errors/fill in any gaps)
> using iptables-save and -restore lines to save and load rules from a file in
> /etc/network/interfaces

As above, there are several ways to do this. I personally find it easier
to save my iptables script somewhere ( I use /etc/iptables.up as a name)

I then do this in /etc/dhcp3/dhclient-exit-hooks   ( I created that file as
a 'script")

#!/bin/bash
# give it a moment to wake up
sleep 1  &&
/etc/iptables.up

The sleep line may not be necessary - I found it worked this way. It's a
hack, I admit. Obviously make your scripts executable - sudo chmod +x

What this does is start the iptables script *after* dhcp has given me a
usable connection, as dhclient exits. This also means that, for example,
"irc.freenode.net" is correctly translated by iptables using DNS ,
because by then I am on-line. You might notice that I am vulnerable for 1
second :)

> writing a bash script and putting it somewhere (I remember there was an
> initrc file or directory, but I forget the exact location) so that it runs
> on boot

You can do this in /etc/rc.local , for example - but this assumes the
network is up by that stage in the boot. I found that I needed something
that would run the script immediately after the connection on Feisty. YMMV
as they say...

If you need occasionally to disable the firewall, you can make an
iptables.down script that clears all the policies and flushes the chains.
You can run this when the network comes down, for example.

Other directories to look at as places to put scripts might be:
if-down.d  if-post-down.d  if-pre-up.d  if-up.d 

In /etc/network/

Peter

More information about the ubuntu-users mailing list