pantz.org banner
Laptop Iptables configuration
Posted on 02-27-2004 01:13:00 UTC | Updated on 02-27-2004 01:13:00 UTC
Section: /software/iptables/ | Permanent Link

This iptables ruleset is one that I use on my linux laptop. This script is intended to be run at startup and will block all incomming network traffic that is not part of a connection that went out first. It will also allow all outgoing traffic. Uncomment the lines to allow ping or ssh in if you need it.

#!/bin/bash
#
# Firewall rules for laptop. Only connections are allowed out when turned on.
# 

# Function to set the file to one or zero.
enable () { for file in $@; do echo 1 > $file; done }
disable () { for file in $@; do echo 0 > $file; done }

######################################################################
function on {
    echo "Firewall: enabling filtering"
       	
    #Use Selective ACK which can be used to signify that specific packets are missing.
    disable /proc/sys/net/ipv4/tcp_sack

    #If the kernel should attempt to forward packets. Off by default. Routers should enable.
    disable /proc/sys/net/ipv4/ip_forward

    #Protect against wrapping sequence numbers and in round trip time measurement.
    disable /proc/sys/net/ipv4/tcp_timestamps
   
    #Help against syn-flood DoS or DDoS attacks using particular choices of initial TCP sequence numbers.
    enable /proc/sys/net/ipv4/tcp_syncookies

    # Enable broadcast echo protection.
    enable /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    # Disable source routed packets.
    disable  /proc/sys/net/ipv4/conf/*/accept_source_route

    # Disable ICMP Redirect acceptance.
    disable /proc/sys/net/ipv4/conf/*/accept_redirects

    # Don't send Redirect messages.
    disable /proc/sys/net/ipv4/conf/*/send_redirects

    # Do not respond to packets that would cause us to go out
    # a different interface than the one to which we're responding.
    enable /proc/sys/net/ipv4/conf/*/rp_filter

    # Log packets with impossible addresses.
    enable /proc/sys/net/ipv4/conf/*/log_martians

    # Clear any previous rules.
    iptables -F
    iptables -F -t nat
    iptables -F -t mangle
    
    # Default drop policy.
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP

    # Allow anything over loopback.
    iptables -A INPUT  -i lo -s 127.0.0.1 -j ACCEPT
    iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

    # Drop any tcp packet that does not start a connection with a syn flag.
    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

    # Drop any invalid packet that could not be identified.
    iptables -A INPUT -m state --state INVALID -j DROP

    # Drop invalid packets.
    iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN              -j DROP
    iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST              -j DROP
    iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST              -j DROP
    iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN                  -j DROP
    iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG                  -j DROP

    # Reject broadcasts to 224.0.0.1
    iptables -A INPUT -d 224.0.0.0 -j REJECT

    # Allow TCP/UDP connections out. Keep state so conns out are allowed back in.
    iptables -A INPUT  -p tcp -m state --state ESTABLISHED     -j ACCEPT
    iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT  -p udp -m state --state ESTABLISHED     -j ACCEPT
    iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT

    # Allow ICMP out and anything that went out back in.
    iptables -A INPUT  -p icmp -m state --state ESTABLISHED      -j ACCEPT
    iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED  -j ACCEPT

    # Allow only ICMP echo requests (ping) in. Limit rate in. Uncomment if needed.
    #iptables -A INPUT  -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

    # Allow ssh connections in. Uncomment if needed.
    # iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -m limit --limit 1/s -j ACCEPT

    # Drop everything that did not match above and log it.
    iptables -A INPUT   -j LOG --log-level 4 --log-prefix "IPT_INPUT: "
    iptables -A INPUT   -j DROP
    iptables -A FORWARD -j LOG --log-level 4 --log-prefix "IPT_FORWARD: "
    iptables -A FORWARD -j DROP
    iptables -A OUTPUT  -j LOG --log-level 4 --log-prefix "IPT_OUTPUT: "
    iptables -A OUTPUT  -j DROP

}
######################################################################
function off {
    # stop firewall
    echo "Firewall: disabling filtering (allowing all access)"
    iptables -F
    iptables -F -t nat
    iptables -F -t mangle
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
}
######################################################################
function stop {
    # stop all external connections
    echo "Firewall: stopping all external connections"
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -P INPUT DROP
    iptables -P FORWARD REJECT
    iptables -P OUTPUT REJECT

    # allow anything over loopback
    iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
    iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
}

case "$1" in
    start)
	on
    ;;
    stop)
	off
    ;;
    *)
	echo "$0 {start|stop|off}"
	echo "Start executes primary ruleset. Default is block all in and allow everything out."
	echo "Stop disables all filtering"
	echo "Off disables all non-loopback connections"
    ;;
esac

Reddit!

Related stories


RSS Feed RSS feed logo

About


3com

3ware

alsa

alsactl

alsamixer

amd

android

apache

areca

arm

ati

auditd

awk

badblocks

bash

bind

bios

bonnie

cable

carp

cat5

cdrom

cellphone

centos

chart

chrome

chromebook

cifs

cisco

cloudera

comcast

commands

comodo

compiz-fusion

corsair

cpufreq

cpufrequtils

cpuspeed

cron

crontab

crossover

cu

cups

cvs

database

dbus

dd

dd_rescue

ddclient

debian

decimal

dhclient

dhcp

diagnostic

diskexplorer

disks

dkim

dns

dos

dovecot

drac

dsniff

dvdauthor

e-mail

echo

editor

emerald

ethernet

expect

ext3

ext4

fat32

fedora

fetchmail

fiber

filesystems

firefox

firewall

flac

flexlm

floppy

flowtools

fonts

format

freebsd

ftp

gdm

gmail

gnome

google

greasemonkey

greylisting

growisofs

grub

hacking

hadoop

harddrive

hba

hex

hfsc

html

html5

http

https

hulu

idl

ie

ilo

intel

ios

iperf

ipmi

iptables

ipv6

irix

javascript

kde

kernel

kickstart

kmail

kprinter

krecord

kubuntu

kvm

lame

ldap

linux

logfile

lp

lpq

lpr

maradns

matlab

memory

mencoder

mhdd

mkinitrd

mkisofs

moinmoin

motherboard

mouse

movemail

mplayer

multitail

mutt

myodbc

mysql

mythtv

nagios

nameserver

netflix

netflow

nginx

nic

ntfs

ntp

nvidia

odbc

openbsd

openntpd

openoffice

openssh

openssl

openvpn

opteron

parted

partimage

patch

perl

pf

pfflowd

pfsync

photorec

php

pop3

pop3s

ports

postfix

power

procmail

proftpd

proxy

pulseaudio

putty

pxe

python

qemu

r-studio

raid

recovery

redhat

router

rpc

rsync

ruby

saltstack

samba

schedule

screen

scsi

seagate

seatools

sed

sendmail

sgi

shell

siw

smtp

snort

solaris

soundcard

sox

spam

spamd

spf

spotify

sql

sqlite

squid

srs

ssh

ssh.com

ssl

su

subnet

subversion

sudo

sun

supermicro

switches

symbols

syslinux

syslog

systemrescuecd

t1

tcpip

tcpwrappers

telnet

terminal

testdisk

tftp

thttpd

thunderbird

timezone

ting

tls

tools

tr

trac

tuning

tunnel

ubuntu

unbound

vi

vpn

wget

wiki

windows

windowsxp

wireless

wpa_supplicant

x

xauth

xfree86

xfs

xinearama

xmms

youtube

zdump

zeromq

zic

zlib