Securing your Linux computer with iptables is a great way to make sure that you are safer from Internet attacks. The iptables(8) system is the built in firewall for a Linux system. This makes it very easy to secure your computer.
Before you change any settings, backup your iptables configuration.
iptables-save > backup.conf |
if the iptables configuration goes awry, you may restore the iptables configuration this way.
iptables-restore backup.conf |
Or these commands, this will restore the default iptables configuration.
iptables -F iptables -X |
Blocking incoming ICMP ping requests is accomplished with this iptables command.
iptables -A INPUT --proto icmp --icmp-type 0 -j DROP |
If not, go straight to these:
iptables -A INPUT --proto icmp -j ACCEPT iptables -A INPUT --proto udp --sport 53 -j ACCEPT iptables -A INPUT --proto udp --dport 67 -j ACCEPT iptables -A INPUT --proto udp --dport 68 -j ACCEPT iptables -A INPUT --proto tcp --dport 22 -s 192.168.1.2/24 -j ACCEPT iptables -A INPUT --proto tcp --dport 22 -j DROP |
Here is some more useful iptables stuff.
# Flush all existent rules iptables -F iptables -X # Allow unlimited traffic on loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow established,related into eth0 iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow DNS in iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT # Some router stuff that might be necessary for DHCP # iptables -A INPUT --proto icmp -j ACCEPT # iptables -A INPUT --proto udp --sport 53 -j ACCEPT # iptables -A INPUT --proto udp --dport 67 -j ACCEPT # iptables -A INPUT --proto udp --dport 68 -j ACCEPT # Accept everything out iptables -P OUTPUT ACCEPT # Drop everything else iptables -P FORWARD DROP iptables -P INPUT DROP |
Read more about iptables before using it.
It’s a set of commands that, when issued, change the rules on the iptables firewall. You can either issue them one by one via a terminal or same it as a file, run chmod +x my_file so it can be executed, and then execute it so you don’t have to run each command one by one.
Here is how to create a script to do all of this in one go.
echo "iptables -A INPUT --proto icmp -j ACCEPT" > iptset echo "iptables -A INPUT --proto udp --sport 53 -j ACCEPT" >> iptset echo "iptables -A INPUT --proto udp --dport 67 -j ACCEPT" >> iptset echo "iptables -A INPUT --proto udp --dport 68 -j ACCEPT" >> iptset echo "iptables -A INPUT --proto tcp --dport 22 -s 192.168.25.0/24 -j ACCEPT" >> iptset echo "iptables -A INPUT --proto tcp --dport 22 -j DROP" >> iptset chmod +x iptset mv iptset /usr/bin/iptset iptset |
This will help keep your computer secure.
Here I am putting these commands into my Linux Mint 16 laptop.
deusexmachina ~ # iptables -A INPUT --proto icmp -j ACCEPT deusexmachina ~ # iptables -A INPUT --proto udp --sport 53 -j ACCEPT deusexmachina ~ # iptables -A INPUT --proto udp --dport 67 -j ACCEPT deusexmachina ~ # iptables -A INPUT --proto udp --dport 68 -j ACCEPT deusexmachina ~ # iptables -A INPUT --proto tcp --dport 22 -s 192.168.1.2/24 -j ACCEPT deusexmachina ~ # iptables -A INPUT --proto tcp --dport 22 -j DROP |
And checking the entries have been properly inserted, using the iptables-save command.
deusexmachina ~ # iptables-save # Generated by iptables-save v1.4.18 on Fri Jan 31 22:03:08 2014 *filter :INPUT ACCEPT [2:104] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2:2046] -A INPUT -p icmp -j ACCEPT -A INPUT -p udp -m udp --sport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 67 -j ACCEPT -A INPUT -p udp -m udp --dport 68 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j DROP COMMIT # Completed on Fri Jan 31 22:03:08 2014 |