# Help securing an iptables firewall

## Dralnu

I'm looking to setup an iptables firewall right now, and I am looking for some input on my current rules.

This setup is done in a virtual machine, and will be moved to my desktop once I feel good about it.

```
#Generated by iptables-save x1.4.0 on Thu Dec 4 16:53:24 2008

*filter

: INPUT DROP [8:1364

:Forward ACCEPT [0:0]

:OUTPUT ACCEPT [26:2168]

[15:9314] -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

COMMIT

# Completed on Thu Dev 4 16:53:24 2008
```

All I want to access is: my email, the web, IRC, torrent, and be able to use IMs.

----------

## Hu

That should be sufficient for e-mail, HTTP, and basic IRC.  You may not be able to act as a DCC host on IRC.  Torrents will probably work poorly, if at all, since you will not be allowing any incoming connections.  Thus, your client can leach from peers, but cannot host.  IM may or may not work, depending on the individual clients.  Some like to establish direct peer-to-peer connections, which will fail if the other side initiates.  If it is routed through a central server, or if your client falls back to initiating an outbound connection, then it should work.

----------

## Dralnu

alright. I'm going to look into what needs what ports I may need.

Is it possible to have iptables close a port when a program isn't running, and open them when it is?

----------

## aidanjt

Not really.. Because that'd pretty much defeat the point of using a firewall.  The next best thing is UPnP, that'll let you punch a hole through a NAT gateway as-needed.

Another thing that might be of interest to you is shorewall.  It's much more agreeable for setting up netfilter than mucking around with iptables.

----------

## Sadako

A couple of other rules which should probably be added to the top of your INPUT chain, in the following order;

```
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state INVALID -j DROP
```

The first allows all traffic on localhost/loopback, which you'll want so programs on your client may communicate with each other via tcp or udp, and the second drops invalid packets, which AFAICT means tcp packets with invalid combinations of tcp flags.

Another nice littel one is "iptables -A OUTPUT -o eth0 -p icmp -m state --state ! NEW -j DROP", which (as long as you only accept established or related pings on INPUT) will mean you can ping other boxes and get replies, but others won't be able to ping you.

----------

## Dralnu

 *AidanJT wrote:*   

> Not really.. Because that'd pretty much defeat the point of using a firewall.  The next best thing is UPnP, that'll let you punch a hole through a NAT gateway as-needed.

 

Translate that into laymans terms, please?

 *Quote:*   

> Another thing that might be of interest to you is shorewall.  It's much more agreeable for setting up netfilter than mucking around with iptables.

 

I had forgotten about shorewall, actually. I'll look into it.

----------

## Hu

 *Dralnu wrote:*   

>  *AidanJT wrote:*   Not really.. Because that'd pretty much defeat the point of using a firewall.  The next best thing is UPnP, that'll let you punch a hole through a NAT gateway as-needed. 
> 
> Translate that into laymans terms, please?
> 
> 

 

The firewall serves two purposes.  Opinions differ about which is more important.  One purpose is to cause traffic to a filtered port to receive no answer.  This interferes with systems that are probing to see what services you offer, but is not a substantial hinderance to advanced scanners, which can parallelize their work to mitigate the delay.  The second purpose is to prevent your system from serving requests from systems you have deemed "bad."  Configuring a port to be stealthed when nothing is running on it and open otherwise defeats purpose #2, since it allows the listening process to serve requests from "bad" systems.

The definition of what constitutes a "bad" system varies widely, and is dependent on your threat model.  A desktop may want to consider all systems on the Internet as "bad."  A server does not have this luxury, since then it would serve no one.

----------

