# How's my iptables setting? [SOLVED]

## Despot Despondency

Hi, I'm trying to set up iptables for the first time and need some advice. At the moment I'm just setting up a basic firewall and I'll add to it later.

I followed the howto https://forums.gentoo.org/viewtopic-t-289163-highlight-iptables+howto.html

where the policies are set to 

```

#!/bin/sh

# Set location of iptables

IPTABLES=/sbin/iptables

# Define interfaces

PUBLIC_IF="eth0"

# Flush current rules

$IPTABLES -t nat -F

$IPTABLES -t filter -F

$IPTABLES -t mangle -F

# Delete custom chains

$IPTABLES -t nat -X

$IPTABLES -t filter -X

$IPTABLES -t mangle -X

# Set default policies

$IPTABLES -t filter -P INPUT DROP

$IPTABLES -t filter -P FORWARD DROP

$IPTABLES -t filter -P OUTPUT ACCEPT

$IPTABLES -t nat -P PREROUTING ACCEPT

$IPTABLES -t nat -P OUTPUT ACCEPT

$IPTABLES -t nat -P POSTROUTING ACCEPT

$IPTABLES -t mangle -P PREROUTING ACCEPT

$IPTABLES -t mangle -P INPUT ACCEPT

$IPTABLES -t mangle -P FORWARD ACCEPT

$IPTABLES -t mangle -P OUTPUT ACCEPT

$IPTABLES -t mangle -P POSTROUTING ACCEPT

# Allow traffic from trusted interfaces

$IPTABLES -A INPUT -i lo -j ACCEPT

# Allow traffic from established connections

$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow typical ICMP responses

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

```

Now when I run iptables -L I get 

```

Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable

ACCEPT     icmp --  anywhere             anywhere            icmp source-quench

ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded

ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem

ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply

ACCEPT     icmp --  anywhere             anywhere            icmp echo-request

Chain FORWARD (policy DROP)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```

My first question is about the line 

```

ACCEPT     all  --  anywhere             anywhere

```

From what I can fathom this line says that all traffic is allowed. Is this right?Last edited by Despot Despondency on Sat Feb 13, 2010 8:56 am; edited 1 time in total

----------

## papahuhn

That's because of "IPTABLES -A INPUT -i lo -j ACCEPT". Type "iptables -L -v" and you'll see the interface.

----------

## Despot Despondency

Thanks for the response.

iptables -L -v gives

```

Chain INPUT (policy DROP 70 packets, 16874 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere

 372K  199M ACCEPT     all  --  eth0   any     anywhere             anywhere            state RELATED,ESTABLISHED

    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp destination-unreachable

    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp source-quench

    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp time-exceeded

    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp parameter-problem

    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-reply

    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-request

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 359K packets, 23M bytes)

 pkts bytes target     prot opt in     out     source               destination

```

OK, so the interface for this line is lo. Stupid question, what interface is the lo interface? I assume it's trustworthy.

----------

## papahuhn

That's the loopback interface. Packets going into this interface will come out from the interface. This is useful for communication between applications on the same machine.

----------

## d2_racing

Your input statement are ok, by default everything is block except established and related.

And you don't bother with the output statement, so it's pretty good for a single laptop.

----------

## d2_racing

For the ICMP protocol, your seems to be a little bit parano  :Razz: 

Maybe you could at least use this :

```

$IPT -A INPUT -p ICMP -m limit --limit 1/s -j ACCEPT 

```

With that, you accept every ICMP response but your protect yourself from ping flood and other attack on the icmp protocol.

----------

## d2_racing

I use that kind of firewall on my laptop :

http://gentoo-quebec.org/wiki/index.php/Utilisation_de_Iptables_pour_un_seul_ordinateur

http://gentoo-quebec.org/wiki/index.php/Utilisation_de_Iptables_pour_un_seul_ordinateur_mode_parano

And for the record, if you want your box to act like a router, then you will need to code your forward statement.

----------

## Despot Despondency

Hi, thanks for all the responses.

 *Quote:*   

> That's the loopback interface. Packets going into this interface will come out from the interface. This is useful for communication between applications on the same machine.

 

OK, that's good to know. 

 *Quote:*   

> For the ICMP protocol, your seems to be a little bit parano 
> 
> Maybe you could at least use this :
> 
> Code:
> ...

 

I deleted the previous ICMP protocol and replaced it with your suggestion, but now when I run the script I get 

```

iptables: No chain/target/match by that name.

```

Any Ideas?

This is all for a standalone desktop at home. As such do I need to bother with stuff like trying to catch portscanners, as in the example from http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=12?

----------

## d2_racing

Try this one :

```

$IPTABLES -A INPUT -p ICMP -m limit --limit 1/s -j ACCEPT 

```

Are you sure that you have the limit module from netfilter options inside your kernel ?

----------

## Despot Despondency

OK, turns out the limit module from netfilter wasn't in the kernel. I've built it in now and the new ICMP protocol works fine. Thanks

What about the extra rules, like trying to catch portscanners? Is it worth my while?

Out of interest how much of the gentoo security handbook do you follow?

----------

## d2_racing

 *Despot Despondency wrote:*   

> Out of interest how much of the gentoo security handbook do you follow?

 

None, I asked Robbat2 for help  :Razz: 

----------

## papahuhn

I'm not sure you really need that whole bunch of rules.

If you want to provide a web service, the port needs to be accessible. If not, the service should not run anyway (on eth0), so the port will be closed and there is no need for filtering. Limiting icmp echo replies might be useful for asymmetric connections like ADSL, where replying to all requests will load the upstream. However, a real attacker will probably have more upstream available than you have downstream, so filtering won't help anyway.

And by the way, icmp can be generally ratelimited via sysctl's icmp_ratemask option as well.

Filtering is getting reasonable if you have different policies for different hosts. Then you can say, host1 may access the MySQL database and network2 may connect via ssh, the rest is rejected. A special case is denyhosts for blocking people who try to bruteforce ssh accounts or similar.

----------

## Hu

Although not necessary, filtering traffic on ports you expect to be unused has two minor advantages.  It avoids sending even a rejection to anyone probing your system, and it ensures that any service which you may start on that port later will not become accessible to the outside world without specific action to open the firewall.  This is especially important if you might run any processes which bind to the wildcard address.

----------

## Despot Despondency

Thanks for all the replies. 

It's a shame there doesn't appear to be a thread discussing peoples network settings as it's very interesting.

Thanks for all the help.

----------

## d2_racing

No problem  :Razz: 

----------

