Thursday, February 18, 2016

Iptables configuration for Debian Desktop

Iptables  is one of the best firewall  available today. It will do three things
a. ACCEPT
b. REJECT
c. DROP

It has many frontends like for example ufw, etc. So let's configure our firewall for our Debian Desktop.

#iptables -P INPUT -j DROP
#iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i lo -j ACCEPT
#iptables -A INPUT -p icmp -m limit --limit 1/second --limit-burst 5 -j ACCEPT
#iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
#iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
#iptables -A INPUT -p icmp -j DROP
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --dport 10000:10020 -j ACCEPT
#iptables -A INPUT -p udp --dport 10000:10020 -j ACCEPT
#iptables -A INPUT -m state --state INVALID -j DROP
#iptables -P FORWARD -j DROP
#iptables -A FORWARD -m state --state INVALID -j DROP
#iptables -P OUTPUT -j ACCEPT
#iptables -A OUTPUT -m state --state INVALID -j DROP

BLOCKING PORT-SCANNING

#iptables -N port-scan
#iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
#iptables -A port-scan -j DROP

LOGGING

#iptables -N LOGGING
#iptables -A INPUT -j LOGGING
#iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "Iptables dropped: " --loglevel  7
#iptables -A LOGGING -j DROP

To save our configuration run
#iptables-save
#iptables-save > myrules
edit /etc/network/interfaces using nano and add the following lines at the bottom of the file.
pre-up /sbin/iptables-restore
and save. your firewall configuration is now finished.  your iptables log will be in /var/log/kern.log. If you want to have a custom logging file instead of kern.log then create a file in /etc/ryslog.d with the name iptables.conf
with the following content
:msg, contains, "Iptables dropped: "-/var/log/iptables.log  
& ~
and save the file. Create an empty file iptables.log in /var/log it will now begin to log in /var/log/iptables.log.

# - means root shell.

I gathered all these configuration from the internet and debian forums here are the links  for further information

1. http://forums.debian.net/viewtopic.php?f=16&t=117514
2. http://forums.debian.net/viewtopic.php?f=16&t=16166&hilit=firewall
3. http://sharadchhetri.com/2013/06/15/how-to-protect-from-port-scanning-and-smurf-attack-in-linux-server-by-iptables/
4. http://hakersparadise.blogspot.in/2012/05/using-ip-tables-in-linux-to-secure.html
5. http://unix.stackexchange.com/questions/88994/help-configuring-a-custom-log-file-for-iptables
6. http://www.thegeekstuff.com/2012/08/iptables-log-packets/

Also check this tutorial it is based on iptables frontend called arno iptables firewall.
7. http://cosmolinux.no-ip.org/raconetlinux2/arno_iptables_firewall.html

No comments:

Post a Comment