Linux Security Debian Slax Tiny Core Health

Security

Frugal Install

Encryption

Definitions

Iptables 1
Set Up a Simple Firewall

Iptables 2
Simplify the Setup

Iptables 3
Start the Firewall Automatically

Iptables 4
Change the Policy to Drop

Iptables 5
Logging

Iptables 6
Add Rules

Iptables 7
IP Address Blocks

Iptables 8
Add Chains

Iptables 9
Change Rules While in Use

Iptables Summary

Graphical Firewalls

Check for Malware

Erase Everything from a Hard Drive

Security Links


Other Links


Contact Details

Security

Iptables Summary

Check Iptables Set Up

To view the Iptables set up, type:

iptables -L

To see verbose details, type:

iptables -L -v

To view just the INPUT chain, type:

iptables INPUT -L

When rules are used containing IP addresses, Iptables looks up the name of each IP address if it can find it, which may take some time if many rules are used containing IP addresses. To skip this, use "-n" for numeric:

iptables -L -n

To view line numbers at the beginning of each line, type:

iptables -L -n --line-numbers

Start Iptables Automatically

For Iptables to start automatically each time the computer is turned on, insert the following line in the Iptables rules, right at the end.

iptables-save > /etc/iptables.rules

Also add the following to "/etc/network/interfaces."

pre-up iptables-restore < /etc/iptables.rules

Save Rules

Rules can be saved using the following:

iptables-save > /etc/iptables.rules

Save Rules When Shutting Down

To save the rules when the computer is turned off, add the following to "/etc/network/interfaces."

post-down iptables-save > /etc/iptables.rules

Log Iptables

Include rules in Iptables about logging. To log to "/var/log/iptables.log," add the following to "/etc/syslog.conf."

kern.warning   /var/log/iptables.log

You need to restart your computer for this to take effect.


Change Policy to Drop

To change the policy to DROP, use the following:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

Add Chains

To create a new chain, use the following:

iptables -N LOGDROP

Example of Iptables Rules

iptables -F
iptables -A INPUT -m state --state INVALID -j LOG --log-level 4 --log-prefix 'InvalidDrop '
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m limit --limit 2/min -j LOG --log-level 4 --log-prefix 'In2/m '
iptables -A INPUT -s 10.0.0.0/8 -j LOGDROP
iptables -A INPUT -s 172.16.0.0/12 -j LOGDROP
iptables -A INPUT -s 192.168.0.0/16 -j LOGDROP
iptables -A INPUT -s 203.194.0.0/18 -j LOGDROP
iptables -A INPUT -s 60.208.0.0/12 -j LOGDROP
iptables -A INPUT -s 202.96.0.0/12 -j LOGDROP
iptables -A INPUT -s 60.0.0.0/11 -j LOGDROP
iptables -A INPUT -s 222.192.0.0/11 -j LOGDROP
iptables -A INPUT -s 203.193.128.0/18 -j LOGDROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop '
iptables -A INPUT -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m limit --limit 6/hour -j LOG --log-level 4 --log-prefix 'OutAllow6/h '
iptables -A OUTPUT -j ACCEPT
iptables -A LOGDROP -j LOG --log-level 4 --log-prefix 'SourceDrop '
iptables -A LOGDROP -j DROP
iptables-save > /etc/iptables.rules

Additional information

You can do much more with Iptables.

For help, open the terminal and type:

iptables -h

For the Iptables manual, open the terminal and type:

man iptables

< Iptables 9 Change Rules While in Use

Graphical Firewalls >

© Copyright Guy Shipard 2008 - 2009