Linux Security Debian Slax Tiny Core Health

Security

Frugal Install

Encryption

Definitions

Iptables 1
Set Up a Simple Firewall

Iptables 2
Simplify the Setup

Iptables 3
Start the Firewall Automatically

Iptables 4
Change the Policy to Drop

Iptables 5
Logging

Iptables 6
Add Rules

Iptables 7
IP Address Blocks

Iptables 8
Add Chains

Iptables 9
Change Rules While in Use

Iptables Summary

Graphical Firewalls

Check for Malware

Erase Everything from a Hard Drive

Security Links


Other Links


Contact Details

Iptables 4

Change the Policy to Drop

If you type "iptables -L" in the Root Terminal, you will notice it says, "Chain INPUT (Policy ACCEPT)," "Chain FORWARD (Policy ACCEPT)" and "Chain OUTPUT (Policy ACCEPT)." This means if something is not covered by any of the rules, Iptables will accept it. This is alright now, because it is a very simple firewall. If more rules are added, and it becomes more complicated, sooner or later something may be overlooked, and anything overlooked will be accepted. The computer will be more secure if you change the policy to drop, so anything overlooked will be dropped.

If this is done as it is, the computer will not be able to access the internet, because there are no rules in OUTPUT, so all output will be dropped.

Add a rule so OUTPUT will work. Insert this rule between the last INPUT rule and the "iptables-save" line.

iptables -A OUTPUT -j ACCEPT

This tells Iptables to add a rule accepting OUTPUT.

You should now have:

iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -j ACCEPT
iptables-save > /etc/iptables.rules

Copy and paste this to the Root Terminal.

These new rules will now be saved and used every time the computer is turned on, because the "iptables-save" line is included. If you want to make a temporary change, but have the computer revert to the previous set up next time it is turned on, leave out the "iptables-save" line.

Now let's change the policy to DROP.

Type the following:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

If you now type:

iptables -L

You will notice it says "Chain INPUT (Policy DROP)," "Chain FORWARD (Policy DROP)" and "Chain OUTPUT (Policy DROP)."

This setup will function the same as the previous one. However, as more rules are added, and it gets more complicated, anything overlooked will be dropped, making the computer more secure.


< Iptables 3 Start the Firewall Automatically

Iptables 5 Logging >


© Copyright Guy Shipard 2008 - 2009