By Bri Hatch.
Summary: Create a simple but effective host firewall for your machine in ten minutes or less.
Last week I explained how to run
The easiest and most portable solution is to slap the
# cd /etc/init.d # vi inbound_firewall (create it) # cd /etc/rc2.d # assuming you boot to runlevel 2 # ln -s ../init.d/inbound_firewall S99inbound_firewall
Alternatively you can load your rules manually and use
# iptables-save> /etc/iptables-save # save the current rules # iptables-restore < /etc/iptables-save # restore the previous rules.
You'd need to put these
For example Debian has
Here's a script that will create a firewall configuration that matches our theory from last week.
#!/bin/sh # # Copyright 2003, Bri Hatch, released under the GPL. # # Very minimalistic host firewall: # # allows all outbound access # # allows inbound # DNS replies (udp) but no other UDP packets # important ICMP packets (time exceeded, etc) # TCP packets that are responses to our outbound connections # (prevents inbound connections to ssh servers, active FTP, etc) # # doesn't muck with forward chain, nor do any connection tracking, etc. # easy to modify to support older ipchains - replace INPUT with input, # and DROP with DENY # Flush all tables iptables -F INPUT # Set the default policy for the INPUT chain to be 'DROP' # which means that the packets are discarded, and no message # is sent to the remote machine in response. iptables -P INPUT DROP # enable Reverse Path filtering for interface in /proc/sys/net/ipv4/conf/*/rp_filter do echo 1> $interface done # Allow unrestricted connections over the local interface iptables -A INPUT -i lo -j ACCEPT # Allow tcp packets associated with established connections (and Nmap scans...) iptables -A INPUT -p tcp ! --syn -j ACCEPT # Allow all DNS replies # This will break UDP-based streaming media protocols, etc. iptables -A INPUT -p udp --source-port 53 -j ACCEPT # If your machine doesn't uses BOOTP or DHCPD, comment out the following line iptables -A INPUT -p udp --destination-port 68 -j ACCEPT # Allow helpful ICMP packets. (Feel free to remove some of these) iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT iptables -A INPUT -p icmp --icmp-type redirect -j ACCEPT iptables -A INPUT -p icmp --icmp-type router-advertisement -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT # If you want to see dropped packets, uncomment the following # iptables -A INPUT -j LOG # Yes, this is redundant since the policy is to DROP, but I'm paranoid. iptables -A INPUT -j DROP # Show our tables for grins. iptables -vnL # # End of script.
That's it, have fun.
Next week, creating new
Bri Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He always prefers to build a firewall on his own than use a commercial product. He has this expensive Cisco PIX lying around with six tempting ethernet ports - anyone know how to install Linux on it? Bri can be reached at firstname.lastname@example.org.
Copyright Bri Hatch, 2003
This is the July 09, 2003 issue of the Linux Security: Tips, Tricks, and Hackery newsletter. If you wish to subscribe, visit http://lists.onsight.com/ or send email to Linux_Securityemail@example.com.