# setting up a firewall with iptables

## nickbrown

Hi, I'm hoping that someone will be able to help me configure my gentoo box as a firewall using iptables.

```

   eth0|-------|eth1     |------|

-------|   R   |---------|  PC  |

       |-------|         |------|

```

My network is setup as above.

R is my gentoo router, and PC is (suprise) my PC.

I currently have R configured to get an IP address using DHCP from my isp over eth0. It also updates a dyndns entry with this.

I also have it configured to do masquerading for my PC. It runs a DHCP server to allocate my PC an address in the range 192.168.1.2 - 192.168.1.10 address range.

eth1 on the router is obviously configured with the address 192.168.1.1

It runs a caching DNS sever (out eth1 only) that my PC uses.

Is also also runs a websever hosting my website. Finally it is running a ssh sever.

This all runs smoothly. The PC is masqueraded just fine etc, and people can access my web site, and I ssh into the router.

However I have no firewall setup.

```

[root]# iptables -t filter -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

[root]# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

MASQUERADE  all  --  192.168.1.0/24       anywhere

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```

The masquerading is the only rule I have. Can anyone suggest some rules that will work with my setup described above (ie will permit the dhcp,dns webserver etc) but will tighten up my security. If you provide a list of iptables commands can you provide comments explaining what they do.

Any help is much appreciated, thanks.

----------

## slartibartfasz

you can try this:

```

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

```

will block all incomming traffic unless it was initiated from inside (of course u have to set the default policy of the chain to DROP: 'iptables -P INPUT DROP'.

----------

## nickbrown

```

iptables -t filter -P INPUT DROP

iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

```

Does not seem sufficent and is too restrictive.

People will not be able to connect to my website (or me ssh in) and the PC will not be able to do anything. (get a dhcp address, use the dns sever on the router).

The above may be a start, but it breaks everything in my setup as is.

----------

## uzik

For security you should:

1. Disable all services on your linux box that you aren't using.

(Time, talk, who, finger, pop, rauth, snmp, etc). If they're not

being used nobody can exploit a vulnerability in them. Consider

not even running inetd if you can. Nothing you mentioned needs it.

2. Use your firewall to block traffic that's not valid.

I.E. Only allow ssh from places YOU might be.

Only allow POP access except to specific machines that need it.

etc.

----------

## kopfarzt

You might want to take a look at fwbuilder (Gentoo package). It comes with a firewall "assistant" and gives thorough explanations for why things should be blocked. And it has a GUI, so it's easy to experiment.

It does not yet integrate into Gentoo's /etc/init.d scripts (search in bugs.gentoo.org, I filed a quick and dirty proposal for a start/stop script based on /etc/init.d/iptables).

kopfarzt

----------

## paranode

 *nickbrown wrote:*   

> 
> 
> ```
> 
> iptables -t filter -P INPUT DROP
> ...

 

Well you need to reverse those two rules.  The default DROP policy should always be at the bottom.  This is a good basic starting point.  What you want to do from here is add a rule above the DROP policy for each service you want to allow.  This is building from a default-deny policy instead of a default-accept.

----------

## DefconAlpha

Here is a sample RedHat Firewall script that i made a long time ago... It splits up the protocols so it is easier (i think) to add new services later. This allows for dns lookups, smtp, ssh, and ident requests (plus just enough icmp to allow you to ping the machine... take out the 0 icmp rule and no one can ping you :) ) to come into the machine and anything from the machine can leave. if you are going to be in an enterprise environment, you will want to limit the outbound traffic as well (basically use all of the same rules, just applied to the OUTPUT chain rather than the INPUT chain)

```
#!/bin/sh

# chkconfig: 2345 20 80

# description: All your base are belong to us.

LAN_IP_RANGE="207.65.182.2/24"

LAN_IP="207.65.182.170/32"

LOCALHOST_IP="127.0.0.1/32"

LAN_IFACE="eth0"

IPTABLES="/usr/local/sbin/iptables"

$IPTABLES --flush

echo "iptables: flushed"

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT DROP

$IPTABLES -P FORWARD DROP

# ... denied!

echo "chains: dropping"

$IPTABLES -N tcpchain

$IPTABLES -N udpchain

$IPTABLES -N icmpchain

echo "user chains: created"

$IPTABLES -A tcpchain -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A tcpchain -p TCP -s 0/0 --dport 25 --syn -j ACCEPT

$IPTABLES -A tcpchain -p TCP -s 0/0 --dport 22 --syn -j ACCEPT

$IPTABLES -A tcpchain -p TCP -s 0/0 --dport 113 --syn -j ACCEPT

$IPTABLES -A tcpchain -p TCP -s 0/0 -j DROP

echo "tcp: filtered"

$IPTABLES -A icmpchain -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT

$IPTABLES -A icmpchain -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT

$IPTABLES -A icmpchain -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT

$IPTABLES -A icmpchain -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

$IPTABLES -A icmpchain -p ICMP -j DROP 

echo "icmp: filtered"

$IPTABLES -A udpchain -p UDP -s 0/0 --source-port 53 -j ACCEPT

$IPTABLES -A udpchain -p UDP -j DROP

echo "udp: filtered"

$IPTABLES -A INPUT -p TCP -i $LAN_IFACE -j tcpchain

$IPTABLES -A INPUT -p ICMP -i $LAN_IFACE -j icmpchain

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE -j udpchain

echo "protocols: jumping"

$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT

echo "outbound: filtered"
```

hope it helps... this should give you a jump start at least on making your own

----------

## mpalladi

The book : Securing and Optimising Linux

http://www.openna.com

Has a great section on appropriate rules for a nmber of scenarios

It helped me a lot, although in the end I used shorewall. Very easy

----------

