Re: Better iptables firewall

To: debian-user@lists.debian.org
Subject: Re: Better iptables firewall
From: Bonnel Christophe <mage.tophinus@free.fr>
Date: Thu, 30 Aug 2007 17:40:57 +0200
Message-id: <[🔎] 46D6E509.6080908@free.fr>
In-reply-to: <[🔎] 20070830042525.GA22858@digital-haze.net>
References: <[🔎] 20070830042525.GA22858@digital-haze.net>

Personally, lesser is your configuration, better is your security. Hereis my config :


iptables -t filter -F
iptables -t filter -X
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t filter -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -m state--state ! INVALID -j ACCEPT

iptables -t filter -A OUTPUT -m state --state ! INVALID -j ACCEPT

You can also add a commented line to accept icmp, just in case you haveproblem to connect to network. In this case, comment out the line andrelaunch your firewall. When you have solved the connexion problem,re-comment the icmp line and relaunch your firewall

#iptables -t filter -A INPUT -p icmp -j ACCEPT

Hope this helps.
Christophe


Michael Pobega a écrit :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Currently I'm using iptables as my main firewall, and I'm having no
trouble with it whatsoever. But lately (Since college has started) I've
been connecting to a lot more networks, with more peers connected. I'm
worried about somebody breaking through the security on my laptop and
doing something malicious.

I'm hoping some seasoned Debian sysadmins out there can help me by
advising me on how to better setup iptables...My current setup is:


# Generated by iptables-save v1.3.6 on Mon Jun 18 09:55:18 2007
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [35639:3072343]
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT
- -A INPUT -p icmp -j DROP
#-A INPUT -p tcp -m tcp --dport 5030 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 15000 -j ACCEPT
COMMIT
# Completed on Mon Jun 18 09:55:18 2007

The commented rules are uncommented in my ruleset for home (I only have

those ports forwarded on my home router, so opening them outside is apotential security hazard)

- --If programmers deserve to be rewarded for creating innovative

programs, by the same token they deserve to be punished if they

restrict the use of these programs.- Richard Stallman

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG1ka1g6qL2BGnx4QRAqiAAJ9ga+7x+ShT64BWbZ/59BYTJ+eCgQCfQo5O
ZLlBxl1aLfm3tlaDOO75GU0=
=CYxy
-----END PGP SIGNATURE-----

Reply to:

References:
- Better iptables firewall
  - From: Michael Pobega <pobega@gmail.com>

Prev by Date: AW: AW: configuration center in debian?
Next by Date: AW: Configuration center
Previous by thread: Re: Better iptables firewall
Next by thread: Re: Better iptables firewall
Index(es):
- Date
- Thread