Loading iptables rules on startup

Posted by | Saturday, June 11, 2011  at 10:50 AM
0 comments
Labels :

By default iptables is setup on Debian etch but there are no rules configured. In this tutorial we'll configure some rules and load them into iptables on startup.

1. Rules file

Create a new file that will contain a shell script to insert rules into iptables (pico /etc/firewall-rules.sh) and add this content as template:

#!/bin/sh
IPT="/sbin/iptables"

echo -n "Loading iptables rules..."

# Flush old rules
$IPT --flush
$IPT --delete-chain

# By default, drop everything except outgoing traffic
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Allow incoming and outgoing for loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# ICMP rules
$IPT -A INPUT -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/s -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type timestamp-request -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type timestamp-reply -m state --state ESTABLISHED,RELATED -j ACCEPT

# Block new connections without SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Allow established connections:
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# HTTP
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST
$IPT -A INPUT -p ip -f -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Anti-spoofing rules
$IPT -A INPUT -s 200.200.200.200 -j DROP
$IPT -A INPUT -s 192.168.0.0/24 -j DROP
$IPT -A INPUT -s 127.0.0.0/8 -j DROP

echo "rules loaded."
You can customize this file as required, check the iptables manual for parameters and options.

Change the permissions to make the file executable by root:

chown root /etc/firewall-rules.sh
chmod 700 /etc/firewall-rules.sh


2. Load rules shell script on startup

Add this line above the address line for your default network interface (pico /etc/network/interfaces):

pre-up /etc/firewall-rules.sh


Now, every time you start the network interfaces including restarting the system, iptables rules are reloaded.

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
2012 upshell | Header Image by Game Wallpapers
Avatar Gamezine Designed by Cheapest Tablet PC
Supported by Phones 4u