IP Tables Firewall Example

From IARC 207 Wiki
Revision as of 11:35, 28 January 2016 by 137.229.92.136 (talk)
Jump to navigation Jump to search

From here but then I expanded a bit for my needs (and dropped the block china part):

I'm still learning how this all goes together however... and one thing. for some reason here, flushing the iptables rules rather than restarting the computer locks you out. It must be something I don't have quite right so watch out for that when configuring and testing. As far as I can tell though, this rule set is a good base and my intention is that it restricts access to just the UAF domain for the radio as well as ssh.


Dump the following into /etc/iptables.firewall.rules

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# from Jim:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
-A INPUT -s 137.229.94.2 -d 244.0.0.1 -j ACCEPT
#-A INPUT -s 224.0.0.1 -p udp -m udp -j ACCEPT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from UAF (the normal ports for websites and SSL).
-A INPUT -s 137.229.0.0/16  -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 199.165.0.0/16  -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 137.229.0.0/16  -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 199.165.0.0/16  -p tcp -m tcp --dport 443 -j ACCEPT

# Allow Ser2net connections from UAF
-A INPUT -s 137.229.0.0/16  -p tcp -m tcp --dport 7808 -j ACCEPT
-A INPUT -s 199.165.0.0/16  -p tcp -m tcp --dport 7808 -j ACCEPT
-A INPUT -s 127.0.0.0/8  -p tcp -m tcp --dport 7808 -j ACCEPT

# I think this drops all others to 7808.
-A INPUT -s 0.0.0.0/0 -p tcp --dport 7808 -j DROP

# Allow Ser2net connections from UAF
-A INPUT -s 137.229.0.0/16  -p tcp -m tcp --dport 7809 -j ACCEPT
-A INPUT -s 199.165.0.0/16  -p tcp -m tcp --dport 7809 -j ACCEPT
-A INPUT -s 127.0.0.0/8  -p tcp -m tcp --dport 7809 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -p tcp --dport 7809 -j DROP


-A INPUT -s 137.229.0.0/16 -p udp -m udp -j ACCEPT

#  Allow SSH connections
#  Access controlled through sshd configuration and jail2ban usage
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#  Log iptables denied calls (disabled once I saw what all was getting blocked)
##-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

Those are our rules. Then, need to tell the computer to run them at boot up:

sudo nano /etc/network/if-pre-up.d/firewall

Add the following to that file:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

Next, make sure it is executable:

sudo chmod +x /etc/network/if-pre-up.d/firewall


Should be golden.