Using iptables on a Linux system to secure your computer against Internet threats. This is important.

Posted: January 31, 2014. At: 10:25 PM. This was 4 years ago. Post ID: 6924
Page permalink: http://securitronlinux.com/bejiitaswrath/using-iptables-on-a-linux-system-to-secure-your-computer-against-internet-threats-this-is-important/

South Park computer guy.
South Park computer guy.

Securing your Linux computer with iptables is a great way to make sure that you are safer from Internet attacks. The iptables(8) system is the built in firewall for a Linux system. This makes it very easy to secure your computer.

Before you change any settings, backup your iptables configuration.

iptables-save > backup.conf

if the iptables configuration goes awry, you may restore the iptables configuration this way.

iptables-restore backup.conf

Or these commands, this will restore the default iptables configuration.

iptables -F
iptables -X

Blocking incoming ICMP ping requests is accomplished with this iptables command.

iptables -A INPUT --proto icmp --icmp-type 0 -j DROP

If not, go straight to these:

iptables -A INPUT --proto icmp -j ACCEPT
iptables -A INPUT --proto udp --sport 53 -j ACCEPT
iptables -A INPUT --proto udp --dport 67 -j ACCEPT
iptables -A INPUT --proto udp --dport 68 -j ACCEPT
iptables -A INPUT --proto tcp --dport 22 -s 192.168.1.2/24 -j ACCEPT
iptables -A INPUT --proto tcp --dport 22 -j DROP

Here is some more useful iptables stuff.

# Flush all existent rules
iptables -F
iptables -X

# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established,related into eth0
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow DNS in
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

# Some router stuff that might be necessary for DHCP
# iptables -A INPUT --proto icmp -j ACCEPT
# iptables -A INPUT --proto udp --sport 53 -j ACCEPT
# iptables -A INPUT --proto udp --dport 67 -j ACCEPT
# iptables -A INPUT --proto udp --dport 68 -j ACCEPT

# Accept everything out
iptables -P OUTPUT ACCEPT

# Drop everything else
iptables -P FORWARD DROP
iptables -P INPUT DROP

Read more about iptables before using it.

It’s a set of commands that, when issued, change the rules on the iptables firewall. You can either issue them one by one via a terminal or same it as a file, run chmod +x my_file so it can be executed, and then execute it so you don’t have to run each command one by one.

Here is how to create a script to do all of this in one go.

echo "iptables -A INPUT --proto icmp -j ACCEPT" > iptset
echo "iptables -A INPUT --proto udp --sport 53 -j ACCEPT" >> iptset
echo "iptables -A INPUT --proto udp --dport 67 -j ACCEPT" >> iptset
echo "iptables -A INPUT --proto udp --dport 68 -j ACCEPT" >> iptset
echo "iptables -A INPUT --proto tcp --dport 22 -s 192.168.25.0/24 -j ACCEPT" >> iptset
echo "iptables -A INPUT --proto tcp --dport 22 -j DROP" >> iptset
chmod +x iptset
mv iptset /usr/bin/iptset
iptset

This will help keep your computer secure.

Here I am putting these commands into my Linux Mint 16 laptop.

deusexmachina ~ # iptables -A INPUT --proto icmp -j ACCEPT
deusexmachina ~ # iptables -A INPUT --proto udp --sport 53 -j ACCEPT
deusexmachina ~ # iptables -A INPUT --proto udp --dport 67 -j ACCEPT
deusexmachina ~ # iptables -A INPUT --proto udp --dport 68 -j ACCEPT
deusexmachina ~ # iptables -A INPUT --proto tcp --dport 22 -s 192.168.1.2/24 -j ACCEPT
deusexmachina ~ # iptables -A INPUT --proto tcp --dport 22 -j DROP

And checking the entries have been properly inserted, using the iptables-save command.

deusexmachina ~ # iptables-save
# Generated by iptables-save v1.4.18 on Fri Jan 31 22:03:08 2014
*filter
:INPUT ACCEPT [2:104]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:2046]
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
COMMIT
# Completed on Fri Jan 31 22:03:08 2014

No comments have been made. Use this form to start the conversation :)

Leave a Reply