Summary: Create a simple but effective host firewall for your machine in ten minutes or less.

Last week I explained how to run iptables rules to create a simplistic inbound-access-limiting firewall. Now you certainly don't want to run all these commands every time you start up your computer, so how do you have them run on reboot?

The easiest and most portable solution is to slap the iptables commands into a shell script which you place in the appropriate rc.d directory, for example

  # cd /etc/init.d
  # vi inbound_firewall
  (create it)

  # cd /etc/rc2.d                # assuming you boot to runlevel 2

  # ln -s ../init.d/inbound_firewall S99inbound_firewall

Alternatively you can load your rules manually and use iptables-save to save them to a file, and iptables-restore to read them back in next time.

  # iptables-save> /etc/iptables-save        # save the current rules

  # iptables-restore < /etc/iptables-save     # restore the previous rules.

You'd need to put these iptables-{save,restore} commands into a suitable startup script as well. Many Linux distributions have startup scripts already that will read these files automatically if they exist, so you should check out the scripts in /etc/init.d to see if it has something in place already.

For example Debian has an /etc/init.d/iptables script that will save and load your rules automatically. After running your iptables commands, you run /etc/init.d/iptables save active to save the current ruleset. You should check out the source of the iptables-loading scripts for your Linux distribution to see what they suggest and if there are any 'gotchas'.

Here's a script that will create a firewall configuration that matches our theory from last week.

#!/bin/sh
#
# Copyright 2003, Bri Hatch, released under the GPL.
#
# Very minimalistic host firewall:
#
#   allows all outbound access
#
#   allows inbound
#          DNS replies (udp) but no other UDP packets
#          important ICMP packets (time exceeded, etc)
#          TCP packets that are responses to our outbound connections
#              (prevents inbound connections to ssh servers, active FTP, etc)
#
#   doesn't muck with forward chain, nor do any connection tracking, etc.
#   easy to modify to support older ipchains - replace INPUT with input,
#        and DROP with DENY

# Flush all tables
iptables -F INPUT

# Set the default policy for the INPUT chain to be 'DROP'
# which means that the packets are discarded, and no message
# is sent to the remote machine in response.
iptables -P INPUT DROP

# enable Reverse Path filtering
for interface in /proc/sys/net/ipv4/conf/*/rp_filter
  do
     echo 1> $interface
  done

# Allow unrestricted connections over the local interface
iptables -A INPUT  -i lo -j ACCEPT

# Allow tcp packets associated with established connections (and Nmap scans...)
iptables -A INPUT -p tcp ! --syn -j ACCEPT

# Allow all DNS replies
# This will break UDP-based streaming media protocols, etc.
iptables -A INPUT -p udp --source-port 53 -j ACCEPT

# If your machine doesn't uses BOOTP or DHCPD, comment out the following line
iptables -A INPUT -p udp --destination-port 68 -j ACCEPT

# Allow helpful ICMP packets.  (Feel free to remove some of these)
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type redirect -j ACCEPT
iptables -A INPUT -p icmp --icmp-type router-advertisement -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# If you want to see dropped packets, uncomment the following
# iptables -A INPUT -j LOG

# Yes, this is redundant since the policy is to DROP, but I'm paranoid.
iptables -A INPUT -j DROP

# Show our tables for grins.
iptables -vnL
#
# End of script.

That's it, have fun.

Next week, creating new iptables chains, to make temporary modifications easier.

Bri Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He always prefers to build a firewall on his own than use a commercial product. He has this expensive Cisco PIX lying around with six tempting ethernet ports - anyone know how to install Linux on it? Bri can be reached at bri@hackinglinuxexposed.com.

Copyright Bri Hatch, 2003

This is the July 09, 2003 issue of the Linux Security: Tips, Tricks, and Hackery newsletter. If you wish to subscribe, visit http://lists.onsight.com/ or send email to Linux_Security-request@lists.onsight.com.