Basic iptables firewall.

stylish · Posted: Sat Nov 01, 2008 5:55 am Post subject: Basic iptables firewall.

#!/bin/bash
savefirewall() {
/etc/init.d/iptables save
}
addfirewallservice() {
rc-update add iptables default
}
firewalladd() {
iptables -P INPUT DROP
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
}
echo "Installing firewall"
firewalladd
savefirewall
addfirewallservice

VinzC · Posted: Sat Nov 01, 2008 3:51 pm Post subject:

I'd call it the «poor-man's-firewall» ;-)

...
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739!

Hu · Moderator Joined: 06 Mar 2007 Posts: 21631

Are you seeking advice or sharing this for the good of others? I see three different common mistakes, so I would not recommend anyone use this.

First, you have the standard mistake about loopback address versus loopback interface. I correct people on this one regularly.

Second, you allow any incoming TCP connection based solely on a source port of 53. You probably meant this to enable DNS zone transfers, but it creates a gaping hole for malicious traffic to enter over TCP. You should remove this rule entirely.

Third, you allow any incoming UDP traffic based solely on a source port of 53. This was probably meant to permit normal DNS traffic, but it creates a gaping hole for malicious traffic to enter over UDP. You should remove it and instead allow connection tracking to handle UDP so that DNS is covered via connection tracking.

stylish · Posted: Sun Nov 02, 2008 12:46 am Post subject: The nameserver option.

You can use the address of the nameserver in the iptables. I did not include that option just to make the firewall more compact. But yes it is better to use the address of the 53 nameserver protacol.

Hu · Moderator Joined: 06 Mar 2007 Posts: 21631