pantz.org banner
Laptop Iptables configuration
Posted on 02-27-2004 01:13:00 UTC | Updated on 02-27-2004 01:13:00 UTC
Section: /software/iptables/ | Permanent Link

This iptables ruleset is one that I use on my linux laptop. This script is intended to be run at startup and will block all incomming network traffic that is not part of a connection that went out first. It will also allow all outgoing traffic. Uncomment the lines to allow ping or ssh in if you need it.

#!/bin/bash
#
# Firewall rules for laptop. Only connections are allowed out when turned on.
# 

# Function to set the file to one or zero.
enable () { for file in $@; do echo 1 > $file; done }
disable () { for file in $@; do echo 0 > $file; done }

######################################################################
function on {
    echo "Firewall: enabling filtering"
       	
    #Use Selective ACK which can be used to signify that specific packets are missing.
    disable /proc/sys/net/ipv4/tcp_sack

    #If the kernel should attempt to forward packets. Off by default. Routers should enable.
    disable /proc/sys/net/ipv4/ip_forward

    #Protect against wrapping sequence numbers and in round trip time measurement.
    disable /proc/sys/net/ipv4/tcp_timestamps
   
    #Help against syn-flood DoS or DDoS attacks using particular choices of initial TCP sequence numbers.
    enable /proc/sys/net/ipv4/tcp_syncookies

    # Enable broadcast echo protection.
    enable /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    # Disable source routed packets.
    disable  /proc/sys/net/ipv4/conf/*/accept_source_route

    # Disable ICMP Redirect acceptance.
    disable /proc/sys/net/ipv4/conf/*/accept_redirects

    # Don't send Redirect messages.
    disable /proc/sys/net/ipv4/conf/*/send_redirects

    # Do not respond to packets that would cause us to go out
    # a different interface than the one to which we're responding.
    enable /proc/sys/net/ipv4/conf/*/rp_filter

    # Log packets with impossible addresses.
    enable /proc/sys/net/ipv4/conf/*/log_martians

    # Clear any previous rules.
    iptables -F
    iptables -F -t nat
    iptables -F -t mangle
    
    # Default drop policy.
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP

    # Allow anything over loopback.
    iptables -A INPUT  -i lo -s 127.0.0.1 -j ACCEPT
    iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

    # Drop any tcp packet that does not start a connection with a syn flag.
    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

    # Drop any invalid packet that could not be identified.
    iptables -A INPUT -m state --state INVALID -j DROP

    # Drop invalid packets.
    iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN              -j DROP
    iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST              -j DROP
    iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST              -j DROP
    iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN                  -j DROP
    iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG                  -j DROP

    # Reject broadcasts to 224.0.0.1
    iptables -A INPUT -d 224.0.0.0 -j REJECT

    # Allow TCP/UDP connections out. Keep state so conns out are allowed back in.
    iptables -A INPUT  -p tcp -m state --state ESTABLISHED     -j ACCEPT
    iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT  -p udp -m state --state ESTABLISHED     -j ACCEPT
    iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT

    # Allow ICMP out and anything that went out back in.
    iptables -A INPUT  -p icmp -m state --state ESTABLISHED      -j ACCEPT
    iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED  -j ACCEPT

    # Allow only ICMP echo requests (ping) in. Limit rate in. Uncomment if needed.
    #iptables -A INPUT  -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

    # Allow ssh connections in. Uncomment if needed.
    # iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -m limit --limit 1/s -j ACCEPT

    # Drop everything that did not match above and log it.
    iptables -A INPUT   -j LOG --log-level 4 --log-prefix "IPT_INPUT: "
    iptables -A INPUT   -j DROP
    iptables -A FORWARD -j LOG --log-level 4 --log-prefix "IPT_FORWARD: "
    iptables -A FORWARD -j DROP
    iptables -A OUTPUT  -j LOG --log-level 4 --log-prefix "IPT_OUTPUT: "
    iptables -A OUTPUT  -j DROP

}
######################################################################
function off {
    # stop firewall
    echo "Firewall: disabling filtering (allowing all access)"
    iptables -F
    iptables -F -t nat
    iptables -F -t mangle
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
}
######################################################################
function stop {
    # stop all external connections
    echo "Firewall: stopping all external connections"
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -P INPUT DROP
    iptables -P FORWARD REJECT
    iptables -P OUTPUT REJECT

    # allow anything over loopback
    iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
    iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
}

case "$1" in
    start)
	on
    ;;
    stop)
	off
    ;;
    *)
	echo "$0 {start|stop|off}"
	echo "Start executes primary ruleset. Default is block all in and allow everything out."
	echo "Stop disables all filtering"
	echo "Off disables all non-loopback connections"
    ;;
esac

Del.icio.us! | Digg Me! | Reddit!

Related stories


RSS Feed RSS feed logo
About


3com
3ware
alsa
alsactl
alsamixer
amd
android
apache
areca
arm
ati
auditd
awk
badblocks
bash
bind
bios
bonnie
cable
carp
cat5
cdrom
cellphone
centos
chart
chrome
cifs
cisco
cloudera
comcast
commands
comodo
compiz-fusion
corsair
cpufreq
cpufrequtils
cpuspeed
cron
crontab
crossover
cu
cups
cvs
database
dbus
dd
dd_rescue
ddclient
debian
decimal
dhclient
dhcp
diagnostic
diskexplorer
disks
dns
dos
dovecot
drac
dsniff
dvdauthor
e-mail
echo
editor
emerald
ethernet
expect
ext3
ext4
fat32
fedora
fetchmail
fiber
filesystems
firefox
firewall
flac
flexlm
floppy
flowtools
fonts
format
freebsd
ftp
gdm
gnome
greasemonkey
greylisting
growisofs
grub
hacking
hadoop
harddrive
hba
hex
hfsc
html
html5
http
https
idl
ie
ilo
intel
ios
iperf
ipmi
iptables
ipv6
irix
javascript
kde
kernel
kickstart
kmail
kprinter
krecord
kubuntu
kvm
lame
ldap
linux
logfile
lp
lpq
lpr
maradns
matlab
memory
mencoder
mhdd
mkinitrd
mkisofs
moinmoin
motherboard
mouse
movemail
mplayer
multitail
mutt
myodbc
mysql
mythtv
nagios
nameserver
netflix
netflow
nginx
nic
ntfs
ntp
nvidia
odbc
openbsd
openntpd
openoffice
openssh
openssl
opteron
parted
partimage
patch
perl
pf
pfflowd
pfsync
photorec
php
pop3
pop3s
ports
postfix
power
procmail
proftpd
proxy
pulseaudio
putty
pxe
python
qemu
r-studio
raid
recovery
redhat
router
rpc
rsync
saltstack
samba
schedule
screen
scsi
seagate
seatools
sed
sendmail
sgi
shell
siw
smtp
snort
solaris
soundcard
sox
spam
spamd
sql
sqlite
squid
ssh
ssh.com
ssl
su
subnet
subversion
sudo
sun
supermicro
switches
symbols
syslinux
syslog
systemrescuecd
t1
tcpip
tcpwrappers
telnet
terminal
testdisk
tftp
thttpd
thunderbird
timezone
ting
tls
tools
tr
trac
tuning
tunnel
ubuntu
vi
wget
wiki
windows
windowsxp
wireless
wpa_supplicant
x
xauth
xfree86
xfs
xinearama
xmms
youtube
zdump
zeromq
zic
zlib