Difference between revisions of "Iptables"

From Mage
Jump to: navigation, search
 
Line 35: Line 35:
 
   
 
   
 
  # REJECT EVERYTHING ELSE
 
  # REJECT EVERYTHING ELSE
 +
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
 
  -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 
  -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 
  -A INPUT -j REJECT --reject-with icmp-proto-unreachable
 
  -A INPUT -j REJECT --reject-with icmp-proto-unreachable

Latest revision as of 22:23, 17 February 2019

A quick and dirty guide to iptables on Arch.

Building a Simple Stateful Firewall

vi /etc/iptables/iptables.rules

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

### Service rules

# Allow connections that are already established first.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Accept local traffic
-A INPUT -i lo -j ACCEPT

# Drop all packets with invalid headers or checksum
-A INPUT -m conntrack --ctstate INVALID -j DROP

### BAD ACTOR LIST ###
# Put IP ranges in here that you know you'll never ever want to connect to.

### /BAD ACTOR LIST ###

# Accept all new incoming ICMP echo requests, also known as pings
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

## Port opening
# enable SSH - LOCK THAT SUCKER DOWN.
-A INPUT -p tcp --dport 22 -j ACCEPT

# HTTPS Web Server
#-A INPUT -p tcp --dport 443 -j ACCEPT

# REJECT EVERYTHING ELSE
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

COMMIT


Start and enable the service

Start iptables

systemctl start iptables

This will start the iptables firewall service. Your SSH session shouldn't drop at this point unless you forgot a custom port declaration. Double check that you can establish new SSH connections now as it's much harder to diagnose without an open terminal.


Enable iptables

Once you're sure you aren't going to lock yourself out, enable the iptables service to start at boot:

systemctl enable iptables