Dotfiles: iptables

This is the configuration of iptables. This configuration file is what I have in both my laptop/desktop PC and all my servers/VPS. I think that the security of a host exposed on the Internet and a simple daily-use laptop must be exactly the same. Giving for granted that a laptop can be less vulnerable than a internet exposed host is just trusting too much in the firewalls and the other hosts on the same network.

The policy used is to drop all the stuff you are not using. Allow just the stuff you want.

And yep, I know that this is not really a dot file, but is a configuration file and I think is interesting, too.

config file

I have this script under /etc/init.d/iptables and I use it as a service. The script is launched when the machine is started in the 2 3 4 5 runlevels.

This daemon script basically suports {start,stop,restart,paranoid}. The first three do the obvious thing, the last one is just used in my laptop and closes all the ports, even SSH (of course is a bad idea to have a paranoid mode in a only-acces-by-SSH VPS).

Here is the complete file and I'll comment the file section by section.

LSB tags

In order to be used in a Debian machine as daemon, we need to provide the LSB tags:

#! /bin/sh
### BEGIN INIT INFO
# Provides:          iptables
# Required-Start:
# Required-Stop:
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Securize the network with iptables
# Description:       Securize the network with iptables.
### END INIT INFO

Defining constants

iptables=/sbin/iptables
lo_ip="127.0.0.1"

. /lib/lsb/init-functions

Policies

Setting up the policies. Just allow outgoing packages. Forwarded and incomming packets are dropped.

echo "Starting iptables..."
$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT ACCEPT

Flushing old rules

Flush all the chains; equivalent to deleting all the rules one by one (the RULES not the POLICIES)

$iptables -F INPUT
$iptables -F OUTPUT
$iptables -F FORWARD
$iptables -F -t nat
$iptables -F
$iptables -X

Basic rules

# Loopback
$iptables -A INPUT -s $lo_ip -j ACCEPT

# Accept packages established and related
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept packages ICMP (this is optional, but recommended)
$iptables -A INPUT -p ICMP -j ACCEPT

Configuration of specific ports

SSH

# SSH
# Redirect port 62222 to port 22 (some firewalls ban the outgoing traffic to port 22)
# Prevent bruteforce attacks just letting you to try 10 NEW connections in 60 seconds then ban
# the IP during 60 seconds (note that you can do 3 tries of the password in each connection)
$iptables -A INPUT -p TCP -m state --state NEW --dport 62222 -j ACCEPT
$iptables -t nat -A PREROUTING -p tcp --dport 62222 -j REDIRECT --to-port 22
$iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
$iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name DEFAULT --rsource -j DROP
$iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

HTTP Servers

# HTTP Server
$iptables -A INPUT -p TCP -m state --state NEW --dport 80 -j ACCEPT

#$iptables -A INPUT -p TCP -m state --state NEW --dport 8080 -j ACCEPT
#$iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

Torrents stuff

# Torrents
$iptables -A INPUT -p TCP -m state --state NEW --dport 61414 -j ACCEPT
$iptables -A INPUT -p TCP -m state --state NEW --dport 61413 -j ACCEPT

MDNS

# MDNS - Avahi discover protocol (avahid)
$iptables -A INPUT -p UDP --dport 5353 -j ACCEPT

Useful commands

For logging all the dropped packets and bad a IP address

# Ban a IP
#$iptables -A INPUT -p tcp -m tcp -s MALICIOUS_ADDRESS -j DROP
# Log dropped packages
#$iptables -A INPUT -j LOG --log-level debug --log-prefix "Drop INPUT: "

Stopping iptables

We just flush all the rules and configure all the policies in ACCEPT mode.

echo "Stopping iptables script"
$iptables -P INPUT ACCEPT
$iptables -P FORWARD ACCEPT
$iptables -P OUTPUT ACCEPT

$iptables -F INPUT
$iptables -F OUTPUT
$iptables -F FORWARD
$iptables -F -t nat
$iptables -F
$iptables -X

Paranoic mode

Just put the permisive policies, delete all the rules and do not allow any connection from the outside world

tl;dr

Again, here you have the link to the file. Is well commented and ready to use. You can copy it to your /etc/init.d/ directory and use "rcconf" for enable it at the startup of the system. You must be protected in the Wild West.

Last note

If you see any security flaw in this script, please let me know it (jcarreras [at] krenel [dot] com) and I will uptade this page and all my servers configuration file. Thanks in advance!