Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Really strict iptables rules for a desktop
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
Sadako
Advocate
Advocate


Joined: 05 Aug 2004
Posts: 3753
Location: sleeping in the bathtub

PostPosted: Tue Nov 20, 2007 8:26 pm    Post subject: Really strict iptables rules for a desktop Reply with quote

I've been using really strict iptables ruleset for a while now, and thought I'd share in case there was anyone else interested or as paranoid as myself.

Yes yes, I know this wont make my box anymore secure than simply accepting all ESTABLISHED,RELATED input and all output, but it's just something I was curious about and have working well for me.

I've allowed all local tcp and udp traffic, and additionally allowed dns, http, https, ssh and irc.
If you don't log in to your own machine via ssh remove the accept rules on port 22, especially the NEW rule.

Also, with the icmp rules you'll be able to ping from the box no problem, but others won't be able to ping you.
I've found icmp RELATED accept is required for some things, particularly bittorrent.

The INPUT rules;
Code:
-P INPUT DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -p tcp -j ACCEPT
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -p udp -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 6667 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 22 -m state --state NEW -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT

The OUTPUT rules;
Code:
-P OUTPUT DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -o lo -p tcp -j ACCEPT
-A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -o lo -p udp -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 6667 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 6667 -m state --state NEW -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
You can just as easily combine the NEW and ESTABLISHED state rules for the same port in one rule (--state NEW,ESTABLISHED), but I find this way useful for the seperate counters I get for new and established connections.
The REJECT rule is also unneccesary, but it just prefer to reject outgoing connections than silently dropping them.

For syncing portage you need to be able to communicate on port 873, but rather than having it enabled all the time I have the following as an executuble script in /usr/local/sbin/esync;
Code:
#!/bin/bash

INCOMING="-p tcp -m tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT"
OUTGOING="-p tcp -m tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT"

/sbin/iptables -I INPUT 4 $INCOMING
/sbin/iptables -I OUTPUT 4 $OUTGOING

time emerge --sync

/sbin/iptables -D INPUT $INCOMING
/sbin/iptables -D OUTPUT $OUTGOING

exit
These are just the basics of course, for any others you'll have to add the rules yourself but it should be trivial once you know the port numbers needed.

Any thoughts, ideas, improvements?
_________________
"You have to invite me in"
Back to top
View user's profile Send private message
Keruskerfuerst
Veteran
Veteran


Joined: 01 Feb 2006
Posts: 1803

PostPosted: Thu Nov 22, 2007 6:47 am    Post subject: Reply with quote

I have not blocked the following ports:
25: smtp
53: domain
80: http
110: pop3
123: ntp
443: https
873: rsync

All other ports are blocked; in- and outgoing traffic.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum