Re: Request for comments: iptables script for use on laptops.

To: debian-firewall@lists.debian.org
Subject: Re: Request for comments: iptables script for use on laptops.
From: Uwe Hermann <uwe@hermann-uwe.de>
Date: Fri, 26 May 2006 16:56:02 +0200
Message-id: <[🔎] 20060526145602.GG8553@aragorn>
In-reply-to: <[🔎] 4474EBB0.30606@plouf.fr.eu.org>
References: <[🔎] 20060522085418.GA1153@aragorn> <[🔎] 4474EBB0.30606@plouf.fr.eu.org>

Hi,

On Thu, May 25, 2006 at 01:26:40AM +0200, Pascal Hambourg wrote:
> ># Disable IP forwarding.
> ># Note: Turning this on and off should reset all settings to their 
> >defaults.
> >echo 1 > /proc/sys/net/ipv4/ip_forward
> >echo 0 > /proc/sys/net/ipv4/ip_forward
> 
> Shouldn't the first line be commented out ?

No, that's actually intentional. The kernel docs say

  This variable is special, its change resets all configuration
  parameters to their default state (RFC1122 for hosts, RFC1812 for routers)

So, if I understand correctly, setting it to 1, then to 0 should reset
the config parameters to their defaults (which is what I intended).
And of course ip_forward will be disabled, as it is 0 in the end.

> ># Enable IP spoofing protection (i.e. source address verification).
> >echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
> 
> Incomplete. The function is enabled on interface $INTERFACE when both 
> net/ipv4/conf/all/rp_filter *and* net/ipv4/conf/$INTERFACE/rp_filter are 
> set to 1 (logical AND). The second condition can be achieved on a 
> specific interface by setting net/ipv4/conf/$INTERFACE/rp_filter to 1 
> *after* the interface is bound to IPv4 (that is, mostly, when configured 
> with an IPv4 address), or it can be achieved on all interfaces by 
> setting net/ipv4/conf/default/rp_filter to 1 *before* the interfaces are 
> bound to IPv4 (which can be done in /etc/syctl.conf).

Interesting. The naming of "all" is a bit misleading then...
I fixed the script to use the following now, which should be sufficient:

for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done

(I did the same for all other lines which used .../all/...)

> ># Ignore all (incoming + outgoing) ICMP ECHO requests (i.e. disable PING).
> 
> No, this option only ignores incoming ICMP echo requests. When set, 
> sending echo requests (and receiving the replies) is still possible.

Ah, your're right, thanks. I fixed the comment.

> ># Allow outgoing pings (echo request, fragmentation needed, time exceeded).
> 
> Err no, "ping" is only the echo request type. Destination unreachable 
> (of which fragmentation needed is a sub-type), time exceeded are 
> different ICMP types.

Yeah, the comment is misleading. It should say "allow outgoing ICMP"
rather. The three ICMP types in parenthesis refer to the next three
lines (ICMP type 8, 3, 11, respectively).
Yes, 3 is actually "destination unreachable", not (only) "fragmentation
needed".

General question: which types are usually required or should at least
be enabled in order to not cause network problems, delays, etc.?
Is there anything I need to allow explicitly, or does the
ACCEPT of established/related traffic suffice?

My goal is to allow just the bare minimum of ICMP which is required
for proper operation, and block everything else.

> >$IPTABLES -A OUTPUT -m state --state NEW -p icmp --icmp-type 8 -j ACCEPT 
> >$IPTABLES -A OUTPUT -m state --state NEW -p icmp --icmp-type 3 -j ACCEPT 
> >$IPTABLES -A OUTPUT -m state --state NEW -p icmp --icmp-type 11 -j ACCEPT 
> 
> You will never see an ICMP types 3 or 11 with state NEW. Either they are 
> related to an existing connection and marked with state RELATED, or they 
> are not and they are marked with state INVALID. So the 2nd and 3rd rules 
> will never match and are useless.

Removed, thanks.

> ># Allow incoming pings, but rate-limit them. We don't want to be DoS'd.
> >$IPTABLES -A INPUT -m limit --limit 3/s --limit-burst 8 \
> >          -p icmp --icmp-type 8 -j ACCEPT 
> >$IPTABLES -A INPUT -m limit --limit 3/s --limit-burst 8 \
> >          -p icmp --icmp-type 3 -j ACCEPT
> >$IPTABLES -A INPUT -m limit --limit 3/s --limit-burst 8 \
> >          -p icmp --icmp-type 11 -j ACCEPT
> 
> Same as above about the 2nd and 3rd rules.

Removed, thanks.

> >#------------------------------------------------------------------------------
> ># Miscellaneous.
> >#------------------------------------------------------------------------------
> >
> ># Drop SMB, CIFS, and related Windows traffic without logging. We don't 
> >care.
> >$IPTABLES -A INPUT -p tcp -m multiport \
> >          --sports 135,137,138,139,445,1433,1434 -j DROP
> >$IPTABLES -A INPUT -p udp -m multiport \
> >          --sports 135,137,138,139,445,1433,1434 -j DROP
> 
> Aren't you supposed to filter the destination port ?

D'oh! Of course. Thanks for spotting that.

> ># Limit logging in case of flooding.
> ># $IPTABLES -A INPUT -j LOG -m limit --limit 1/s --limit-burst 8
> 
> What is exactly the purpose of logging packets here ?

Forget that, it's a copy+paste left-over. I want to rate-limit logging,
though, but that should be done when defining ACCEPTLOG, DROPLOG,
REJECTLOG above, I think.

The goal is to prevent people from filling my disk by sending bogus data
which produces tons of log messages.

> >#------------------------------------------------------------------------------
> ># Drop any traffic from IANA-reserved IPs.
> ># For details see:
> >#   * ftp://ftp.iana.org/assignments/ipv4-address-space
> >#   * http://www.cymru.com/Documents/bogon-bn-agg.txt
> >#------------------------------------------------------------------------------
> >
> ># TODO: Is this a good idea? Does it work?
> 
> Well, it can be hazardous, it may block legitimate traffic and needs to 
> be updated after each allocation change. Even though, a block allocated 
> to a RIR does not mean that all its addresses are actually allocated to 
> end users.

I can live with the fact that the list needs updating. And as the script
is intended for my laptop mainly, I will probably notice and fix any major
problems (e.g. blocked legitimate traffic) quite fast.

Apart from that, does it make sense to block such traffic? It'll be
mostly bogus/spoofed anyways, I guess, that's why I want it blocked.
Or should I just remove the whole paragraph and forget about it?

> ># Allow incoming connections related to existing allowed connections.
> >$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> ># Allow outgoing connections related to existing allowed connections.
> >$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> You should put these rules on top of the ruleset because they are the 
> most likely to match.

You mean for performance reasons? That's probably a good idea, yes. Done.

> ># Uncomment this (and comment the above line) to allow ALL outgoing 
> >traffic.
> ># $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> 
> This rule does not accept ALL traffic : packets in the INVALID state do 
> not match.

I fixed the comment, thanks. There's no reason to allow INVALID
traffic, right? I added this new rule:

$IPTABLES -A INPUT -m state --state INVALID -j DROP

Do similar rules for OUTPUT and FORWARD make sense?

> ># Explicitly REJECT (not DROP) incoming auth requests for increased speed.
> >$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 113 -j REJECTLOG
> >
> >$IPTABLES -A INPUT -j DROPLOG
> 
> REJECT for all undesired although valid (i.e. not INVALID) packets would 
> be more RFC-compliant.

OK, fixed. I'm using REJECT/REJECTLOG everywhere now, and I added a line
at the beginning which explicitly DROPs everything in state INVALID
(see above).

Thanks a lot for your comments, that was very helpful! I added your name
and email address in the script. Let me know in case you want them
removed...

One other question: should I block all IPv6 traffic (how?); I have
exactly zero experience with IPv6, and don't use it knowingly.
Can it still become a problem, i.e. do all the rules I set above
also apply to IPv6 traffic (in case it's possible, say when I'm at some
place with my laptop which allows IPv6)?
In other words, could the firewall be circumvented by just sending IPv6
traffic instead of IPv4? If so, how can I reliably prevent that?

Btw, the fixed script (with some new stuff, too) is attached. If I
screwed up somewhere, please let me know.

Cheers, Uwe.
-- 
Uwe Hermann 
http://www.hermann-uwe.de
http://www.it-services-uh.de  | http://www.crazy-hacks.org 
http://www.holsham-traders.de | http://www.unmaintained-free-software.org

#!/bin/sh
#------------------------------------------------------------------------------
# File: fw_laptop
# Author: Uwe Hermann <uwe@hermann-uwe.de>
# URL: http://www.hermann-uwe.de/files/fw_laptop
# License: GNU GPL (version 2, or any later version).
# $Id: fw_laptop 520 2006-05-26 14:54:12Z uh1763 $
#------------------------------------------------------------------------------

# A firewall script intended to be used on workstations / laptops. It basically
# blocks all incoming traffic and only allows minimal outgoing traffic.

# Note: This is work in progress! Any comments and suggestions are welcome!

# Thanks for comments and suggestions:
#   * Jean Christophe André <jean-christophe.andre@auf.org>
#   * Ryan Giobbi <rgiobbi@gmail.com>
#   * Pascal Hambourg <pascal.mail@plouf.fr.eu.org>


#------------------------------------------------------------------------------
# Configuration.
#------------------------------------------------------------------------------

# For debugging use iptables -v.
IPTABLES="/sbin/iptables"
MODPROBE="/sbin/modprobe"

# Logging options.
# Note: We use --log-level debug, so that the messages are not output
# to all virtual consoles (which would be quite annoying).
# Alternative: Start klogd with -c 4 (e.g. by setting KLOGD="-c 4" in the
# /etc/init.d/klogd startup-script.
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"

# Defaults for rate limiting (to prevent DoS attacks and excessive logging).
# TODO: What is a good value for --limit and --limit-burst?
# TODO: Test rate limiting.
RLIMIT="-m limit --limit 3/s --limit-burst 8"

# Load required kernel modules (if automatic module loading is disabled).
$MODPROBE ip_conntrack_ftp
# $MODPROBE ip_conntrack_irc


#------------------------------------------------------------------------------
# Kernel configuration.
# For details see:
#   * http://www.securityfocus.com/infocus/1711
#   * http://www.linuxgazette.com/issue77/lechnyr.html
#   * http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
#   * /usr/src/linux/Documentation/filesystems/proc.txt
#   * /usr/src/linux/Documentation/networking/ip-sysctl.txt
#------------------------------------------------------------------------------

# Disable IP forwarding.
# Note: Turning this on and off should reset all settings to their defaults.
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/ip_forward

# Enable IP spoofing protection (i.e. source address verification).
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done

# Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html).
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Ignore all incoming ICMP echo requests (i.e. disable ping).
# Usually not a good idea, as some protocols and users need/want this.
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Ignore ICMP echo requests to broadcast/multicast addresses. We do not
# want to participate in smurf (and similar) DoS attacks.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Log packets with impossible addresses.
for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done

# Don't log invalid responses to broadcast frames, they just clutter the logs.
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Don't accept or send ICMP redirects.
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done

# Don't accept source routed packets.
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done

# Disable multicast routing. Should not be needed, usually.
# TODO: This throws an "Operation not permitted" error. Why?
# for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done

# Disable proxy_arp. Should not be needed, usually.
for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done

# Enable secure redirects, i.e. only accept ICMP redirects for gateways
# listed in the default gateway list. Helps against MITM attacks.
for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done

# Disable bootp_relay. Should not be needed, usually.
for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done

# TODO: These may mitigate ARP poisoning attacks?
# /proc/sys/net/ipv4/neigh/*/locktime
# /proc/sys/net/ipv4/neigh/*/gc_stale_time

# TODO: Check rest of /usr/src/linux/Documentation/networking/ip-sysctl.txt.
# Are there any security-relevant options I missed? Check especially:
# icmp_ratelimit, icmp_ratemask, icmp_errors_use_inbound_ifaddr, arp_*.


#------------------------------------------------------------------------------
# Cleanup.
#------------------------------------------------------------------------------

# Delete all rules.
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# Delete all (non-builtin) user-defined chains.
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

# Zero all packet and byte counters.
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z


#------------------------------------------------------------------------------
# Default policies: drop everything.
#------------------------------------------------------------------------------

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

# TODO: Block all IPv6 traffic, otherwise the firewall might be circumvented?


#------------------------------------------------------------------------------
# Custom user-defined chains.
#------------------------------------------------------------------------------

# LOG packets, then ACCEPT them.
$IPTABLES -N ACCEPTLOG
$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT
$IPTABLES -A ACCEPTLOG -j ACCEPT

# LOG packets, then DROP them.
$IPTABLES -N DROPLOG
$IPTABLES -A DROPLOG -j $LOG $RLIMIT
$IPTABLES -A DROPLOG -j DROP

# LOG packets, then REJECT them. TCP packets are rejected with a TCP reset.
$IPTABLES -N REJECTLOG
$IPTABLES -A REJECTLOG -j $LOG $RLIMIT
$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A REJECTLOG -j REJECT


#------------------------------------------------------------------------------
# Selectively allow certain special types of traffic.
#------------------------------------------------------------------------------

# Allow all incoming and outgoing connections on the loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Allow incoming connections related to existing allowed connections.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections related to existing allowed connections.
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Uncomment this (and comment the above line) to allow all outgoing
# connections (except for INVALID ones).
# $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 

#------------------------------------------------------------------------------
# ICMP. Note: Many ICMP types are RELATED, hence already allowed.
#------------------------------------------------------------------------------

# Allow outgoing ICMP echo requests (ping).
$IPTABLES -A OUTPUT -m state --state NEW -p icmp --icmp-type 8 -j ACCEPT 

# Allow incoming ICMP echo requests (ping), but only rate-limited.
$IPTABLES -A INPUT -m state --state NEW -p icmp --icmp-type 8 -j ACCEPT $RLIMIT


#------------------------------------------------------------------------------
# Miscellaneous.
#------------------------------------------------------------------------------

# Drop SMB, CIFS, and related Windows traffic without logging. We don't care.
# TODO: I think not all of these use TCP _and_ UDP. Tighten the rules!
$IPTABLES -A INPUT -p tcp -m multiport \
          --sports 135,137,138,139,445,1433,1434 -j DROP
$IPTABLES -A INPUT -p udp -m multiport \
          --sports 135,137,138,139,445,1433,1434 -j DROP

# Explicitly drop invalid traffic.
# TODO: Do the same for OUTPUT and FORWARD?
$IPTABLES -A INPUT -m state --state INVALID -j DROP

# Hinder portscanners a bit.
$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP

# TODO: Block known-bad IPs (see http://www.dshield.org/top10.php).
# $IPTABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG


#------------------------------------------------------------------------------
# Drop any traffic from IANA-reserved IPs.
# For details see:
#   * ftp://ftp.iana.org/assignments/ipv4-address-space
#   * http://www.cymru.com/Documents/bogon-bn-agg.txt
#------------------------------------------------------------------------------

# TODO: Is this a good idea? Does it work?
# TODO: Is this already done by rp_filter?

# $IPTABLES -A INPUT -s 0.0.0.0/7 -j DROP
# $IPTABLES -A INPUT -s 2.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 5.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 7.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 23.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 27.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 31.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 36.0.0.0/7 -j DROP
# $IPTABLES -A INPUT -s 39.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 42.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 49.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 50.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 77.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 78.0.0.0/7 -j DROP
# $IPTABLES -A INPUT -s 92.0.0.0/6 -j DROP
# $IPTABLES -A INPUT -s 96.0.0.0/4 -j DROP
# $IPTABLES -A INPUT -s 112.0.0.0/5 -j DROP
# $IPTABLES -A INPUT -s 120.0.0.0/8 -j DROP
# # $IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP
# $IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
# $IPTABLES -A INPUT -s 173.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 174.0.0.0/7 -j DROP
# $IPTABLES -A INPUT -s 176.0.0.0/5 -j DROP
# $IPTABLES -A INPUT -s 184.0.0.0/6 -j DROP
# $IPTABLES -A INPUT -s 192.0.2.0/24 -j DROP
# # $IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP
# $IPTABLES -A INPUT -s 197.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 198.18.0.0/15 -j DROP
# $IPTABLES -A INPUT -s 223.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 224.0.0.0/3 -j DROP


#------------------------------------------------------------------------------
# Selectively allow certain outbound connections, block the rest.
# TODO: This could be tightened a bit more (limit source/dest port ranges).
#------------------------------------------------------------------------------

# Allow outgoing DNS requests. Few things will work without this.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

# Allow outgoing HTTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# Allow outgoing HTTPS requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

# Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP!
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT

# Allow outgoing "submission" requests.
# Submission (RFC 2476) is used for sending email, and uses port 587.
# This can be encrypted or unencrypted, depending on the server (I think).
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT

# Allow outgoing POP3S requests. Do NOT allow unencrypted POP3!
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT

# Allow outgoing SSH requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT

# Allow outgoing FTP requests. Unencrypted, use with care.
# Note: This usually needs the ip_conntrack_ftp kernel module.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

# Allow outgoing NNTP requests. Unencrypted, use with care.
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT

# Allow outgoing Tor (http://tor.eff.org) requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9001 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9030 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9031 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9091 -j ACCEPT

# Allow outgoing CVS requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT

# Allow outgoing SVN requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT

# Allow outgoing DHCP requests.
# TODO: This is completely untested, I have no idea whether it works!
$IPTABLES -A OUTPUT -m state --state NEW -p udp --sport 68 --dport 67 -j ACCEPT

# Allow outgoing NTP (time synchronization) requests.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT

# Allow outgoing requests to port 8080. Unencrypted, use with care.
# This is sometimes needed to access various proxies.
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT

# TODO: IRC, ICQ, ...?


#------------------------------------------------------------------------------
# Selectively allow certain inbound connections, block the rest.
# TODO: This could be tightened a bit more (limit source/dest port ranges).
#------------------------------------------------------------------------------

# Allow DNS requests.
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

# Allow HTTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# Allow HTTPS requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

# Allow POP3 requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT

# Allow POP3S requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT

# Allow SMTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT

# Allow SSH requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT

# Allow FTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

# Allow NNTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT

# Allow BitTorrent requests.
# TODO: Are these already handled by ACCEPTing established/related traffic?
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 6881 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 6881 -j ACCEPT

# # Allow nc requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 2030 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 2030 -j ACCEPT


#------------------------------------------------------------------------------
# Explicitly log and reject everything else.
#------------------------------------------------------------------------------

# Use REJECT instead of REJECTLOG if you don't need/want logging.
$IPTABLES -A INPUT -j REJECTLOG
$IPTABLES -A OUTPUT -j REJECTLOG
$IPTABLES -A FORWARD -j REJECTLOG


#------------------------------------------------------------------------------
# Exit gracefully.
#------------------------------------------------------------------------------

exit 0

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Request for comments: iptables script for use on laptops.
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

References:
- [uwe@hermann-uwe.de: Request for comments: iptables script for use on laptops.]
  - From: Uwe Hermann <uwe@hermann-uwe.de>
- Re: Request for comments: iptables script for use on laptops.
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

Prev by Date: iptables and squid
Next by Date: Re: iptables and squid
Previous by thread: Re: Request for comments: iptables script for use on laptops.
Next by thread: Re: Request for comments: iptables script for use on laptops.
Index(es):
- Date
- Thread