Using iptables on a Linux system to secure your computer against Internet threats. This is important.

Posted: January 31, 2014. At: 10:25 PM. This was 4 years ago. Post ID: 6924
Page permalink.
WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters. These cookies expire two weeks after they are set.

South Park computer guy.
South Park computer guy.

Securing your Linux computer with iptables is a great way to make sure that you are safer from Internet attacks. The iptables(8) system is the built in firewall for a Linux system. This makes it very easy to secure your computer.

Before you change any settings, backup your iptables configuration.

iptables-save > backup.conf

if the iptables configuration goes awry, you may restore the iptables configuration this way.

iptables-restore backup.conf

Or these commands, this will restore the default iptables configuration.

iptables -F
iptables -X

Blocking incoming ICMP ping requests is accomplished with this iptables command.

iptables -A INPUT --proto icmp --icmp-type 0 -j DROP

If not, go straight to these:

iptables -A INPUT --proto icmp -j ACCEPT
iptables -A INPUT --proto udp --sport 53 -j ACCEPT
iptables -A INPUT --proto udp --dport 67 -j ACCEPT
iptables -A INPUT --proto udp --dport 68 -j ACCEPT
iptables -A INPUT --proto tcp --dport 22 -s 192.168.1.2/24 -j ACCEPT
iptables -A INPUT --proto tcp --dport 22 -j DROP

Here is some more useful iptables stuff.

# Flush all existent rules
iptables -F
iptables -X

# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established,related into eth0
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow DNS in
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

# Some router stuff that might be necessary for DHCP
# iptables -A INPUT --proto icmp -j ACCEPT
# iptables -A INPUT --proto udp --sport 53 -j ACCEPT
# iptables -A INPUT --proto udp --dport 67 -j ACCEPT
# iptables -A INPUT --proto udp --dport 68 -j ACCEPT

# Accept everything out
iptables -P OUTPUT ACCEPT

# Drop everything else
iptables -P FORWARD DROP
iptables -P INPUT DROP

Read more about iptables before using it.

It’s a set of commands that, when issued, change the rules on the iptables firewall. You can either issue them one by one via a terminal or same it as a file, run chmod +x my_file so it can be executed, and then execute it so you don’t have to run each command one by one.

Here is how to create a script to do all of this in one go.

echo "iptables -A INPUT --proto icmp -j ACCEPT" > iptset
echo "iptables -A INPUT --proto udp --sport 53 -j ACCEPT" >> iptset
echo "iptables -A INPUT --proto udp --dport 67 -j ACCEPT" >> iptset
echo "iptables -A INPUT --proto udp --dport 68 -j ACCEPT" >> iptset
echo "iptables -A INPUT --proto tcp --dport 22 -s 192.168.25.0/24 -j ACCEPT" >> iptset
echo "iptables -A INPUT --proto tcp --dport 22 -j DROP" >> iptset
chmod +x iptset
mv iptset /usr/bin/iptset
iptset

This will help keep your computer secure.

Here I am putting these commands into my Linux Mint 16 laptop.

deusexmachina ~ # iptables -A INPUT --proto icmp -j ACCEPT
deusexmachina ~ # iptables -A INPUT --proto udp --sport 53 -j ACCEPT
deusexmachina ~ # iptables -A INPUT --proto udp --dport 67 -j ACCEPT
deusexmachina ~ # iptables -A INPUT --proto udp --dport 68 -j ACCEPT
deusexmachina ~ # iptables -A INPUT --proto tcp --dport 22 -s 192.168.1.2/24 -j ACCEPT
deusexmachina ~ # iptables -A INPUT --proto tcp --dport 22 -j DROP

And checking the entries have been properly inserted, using the iptables-save command.

deusexmachina ~ # iptables-save
# Generated by iptables-save v1.4.18 on Fri Jan 31 22:03:08 2014
*filter
:INPUT ACCEPT [2:104]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:2046]
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
COMMIT
# Completed on Fri Jan 31 22:03:08 2014

No comments have been made. Use this form to start the conversation :)

Leave a Reply