# firewall suggestions

## Dale__

my computer is behind a cable router

I want a software firewall too

I used to be able to create a rules based firewall on Windows

I know what a protocol and port is

I want to drop or reject incoming requests, I don't know the difference between drop and reject, I don't think I need incoming requests, ... do I?

I only want outgoing connections for protocols/ports for applications I use, preferably specifying application too

----------

## ct85711

Well, I can't really help you on making the firewall, but what I do know is that you would want to use DROP instead of REJECT.  This causes packets to be silently dropped with no response sent back, while a reject sends a response back that the packet was not accepted.

Secondly, you need to accept some incoming packets. TCP in general works in a back and forth communication.  So if you don't accept any incoming packets, how does your computer know your packet was received?  The key is to set up your firewall in that it allows incoming communications on channels/ports your computer opened first.

If you know the rules you used on Windows, you can tell us what they were and someone, more knowledgeable than I, will be able to help you convert them to use on linux (including improving the rules too).

----------

## charles17

 *Dale__ wrote:*   

> I want to drop or reject incoming requests, I don't know the difference between drop and reject, I don't think I need incoming requests, ... do I?

 

See https://wiki.gentoo.org/wiki/Iptables#Client and https://wiki.gentoo.org/wiki/Iptables#Generating_firewall_rules_for_client

----------

## el muchacho

 *Dale__ wrote:*   

> my computer is behind a cable router
> 
> I want a software firewall too
> 
> I used to be able to create a rules based firewall on Windows
> ...

 

For a home firewall like this, iptables is perfect, you just need a few lines.

1- set the default for INPUT and FORWARD to DROP

2- accept INPUT that are connections you initiated 

3- accept loopback

4- set the default for OUTPUT to ALLOW

5- may be you can drop OUTPUT for some users, say you run some applications with their own account and you don't want internet acces for those, iptables can filter packets based on their owner with

```
-m owner --uid-owner <user>
```

You'll find the corresponding command lines in many tutorials online.

----------

## mv

The general recommendation to DROP instead of REJECT is not good, since it violates standard and can cause other computers to re-send their messages: Hence, you are unnecessarily producing more traffic.

Of course, there are some stupid programs (usually from MS machines or spammers) which ignore even REJECTS, so you should REJECT in a rate-limited way.

To do all this properly and safely requires that you read a little bit. You might want to have a look at e.g. firewall-mv (from the mv overlay), which is made for such simple cases (and allows simply adding extensions for not too complex cases).

----------

## pietinger

 *mv wrote:*   

> The general recommendation to DROP instead of REJECT is not good, since it violates standard and can cause other computers to re-send their messages: Hence, you are unnecessarily producing more traffic.

 

You are right, if you speak from a server. But nobody has to ping my private PC, nor has to scan which ports are open. The recomandation for a private PC is DROP and its the right choose.

----------

## mv

 *pietinger wrote:*   

> You are right, if you speak from a server.

 

No, this holds always. It is not visible from the outside whether you are a server or not.

 *Quote:*   

> But nobody has to ping my private PC, nor has to scan which ports are open.

 

Exactly. And just for this reason you send the requesting machine a REJECT so that it knows that you are not a server and connection is pointless. Then a (sane) connecting machine will not retry. For the case that it is unsane and retries (or just systematically scans your ports), you will change to DROP.

Be aware that not everybody who connects to your machine does this in a malevolent intention: For instance, if you have a dynamic IP, just a few seconds/minutes/hours ago there might have been a server under your IP. You must tell these people that this server is no longer there and not pretend connection problems...

----------

## szatox

 *Quote:*   

> Be aware that not everybody who connects to your machine does this in a malevolent intention

  no, but those who knock on the door by mistake seem to be relatively uncommon. If someone has just changed his IP and you inherited his, there is a good chance his peer's connections are already timing out anyway. And it's not something that happens very often (once a day in case of most modem connection and never with the rest?), while scanners are testing the whole network all the time, so I don't see a reason to tell them I don't want to talk to them.

If you really want to send a response, perhaps it would be smarter to prettend a router and go for "destination host unreachable" instead  :Laughing: Last edited by szatox on Wed May 06, 2015 8:49 pm; edited 1 time in total

----------

## Dale__

I will look for a tutorial for iptables using these suggestions

what I used to do before was to allow my outgoing requests, then block all other traffic

I would like ping, I don't know what loopback is or why I would need it, I have DHCP

I do not have a server, I just want secure POP, SMTP, NNTP, HTTP

from what I recall all connections allowed do not need two way conversation?

I would also like secure IRC using konversation but the servers I am using, irc.frrenode.net, irc.gimp.org don't seem to like the secure IRC settings, so I might need regular ports

I also would like to use amarok internet music

how do I go about logging with iptables?

I am sure I don't want any rules or logs at the packet level?

----------

## ct85711

You can say that loopback can be considered safe.  Loopback is as the name sounds, is a straight loop back, nothing is ever transmitted to the network through it, nor can anything from the network can communicate to that address.  That address is the exact same on every device, and is strictly local machine only.  There is several services that depend on the loopback to work properly.

----------

## Dale__

https://forums.gentoo.org/viewtopic-p-7578926.html

the link above has a good example to start with

```

iptables -P INPUT DROP 

iptables -P FORWARD DROP 

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

/etc/init.d/iptables save 

rc-config add iptables

```

this is ipv4

how does ipv6 differ and how do I know if I need ipv6?

would anyone be willing to show me an example of how I can narrow down input to the protocols/ports I want? I will have to look some of them up, so I just need one example to start with.[/url]

----------

## Dale__

also would like to log drops, the others would be too cumbersome maybe, any suggestions?

----------

## charles17

 *Dale__ wrote:*   

> this is ipv4
> 
> how does ipv6 differ and how do I know if I need ipv6?

 

Search for ipv6 in the above mentioned wiki article.

----------

## pietinger

 *Dale__ wrote:*   

> also would like to log drops, the others would be too cumbersome maybe, any suggestions?

 

logging is simple:

iptables -A INPUT -j LOG --log-prefix "my text: " 

 *Dale__ wrote:*   

> would anyone be willing to show me an example of how I can narrow down input to the protocols/ports I want? I will have to look some of them up, so I just need one example to start with.[/url]

 

I wrote a bash-script for my initial fw build. In the first part you can see I have some windows pc in my local network ...  :Wink:  Do not worry about the DROP of outgoing packets. You will see the reason in the last part.

```

#!/bin/sh

#

# initial version for sun

# define general

logit="-j LOG --log-prefix"

# define addresses

ip_gw="192.168.2.1"      # DSL-Router

ip_dns1="213.73.91.35"          # freier dns-server CCC

ip_dns2="85.214.20.141"         # freier dns-server FoeBbuD

ip_ntp="192.53.103.108"      # time-server: ptbtime1.ptb.de

ip_hal="192.168.2.3"      # Notebook HAL

iptables -F

iptables -X

iptables -Z

iptables -P INPUT   DROP

iptables -P OUTPUT   DROP

iptables -P FORWARD   DROP

iptables -A INPUT   -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT   -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT   -i lo -j ACCEPT

iptables -A OUTPUT   -o lo -j ACCEPT

### Firewall In ###

# accept some ICMP

iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT

# accept and log ssh from notebook hal

iptables -A INPUT   -s ${ip_hal} -p tcp --dport 22 ${logit} "ACCEPT SSH IN "

iptables -A INPUT   -s ${ip_hal} -p tcp --dport 22 -j ACCEPT

# drop some windows and ICMP stuff without logging

iptables -A INPUT   -p udp --dport 137 -j DROP   # netbios-ns

iptables -A INPUT   -p udp --dport 138 -j DROP   # netbios-dgm

iptables -A INPUT   -p udp --dport 67 -j DROP

iptables -A INPUT   -p udp --dport 68 -j DROP

iptables -A INPUT   -p 2 -j DROP

# log all other

iptables -A INPUT   ${logit} "DROP !!! "

```

I dont allow all outgoing traffic. I am surfing in the Internet through a proxy server (privoxy). At least I REJECT all outgoing traffic:

```

### Firewall Out ###

# accept dns

iptables -A OUTPUT   -d ${ip_dns1} -p udp --dport 53 -j ACCEPT

iptables -A OUTPUT      -d ${ip_dns2} -p udp --dport 53 -j ACCEPT

# accept all http / http-alt / https from privoxy

iptables -A OUTPUT      -p tcp --dport 80 -m owner --uid-owner 104 -j ACCEPT

iptables -A OUTPUT      -p tcp --dport 8080 -m owner --uid-owner 104 -j ACCEPT

iptables -A OUTPUT      -p tcp --dport 443 -m owner --uid-owner 104 -j ACCEPT

iptables -A OUTPUT      -p tcp --dport 8085 -m owner --uid-owner 104 -j ACCEPT

# accept mail

iptables -A OUTPUT   -d 213.165.67.0/24 -p tcp --dport 587 -j ACCEPT

iptables -A OUTPUT      -d 212.227.17.161 -p tcp --dport 995 -j ACCEPT

iptables -A OUTPUT   -d 212.227.17.177 -p tcp --dport 995 -j ACCEPT

iptables -A OUTPUT   -d 194.25.134.0/24 -p tcp --dport 465 -j ACCEPT

iptables -A OUTPUT   -d 194.25.134.0/24 -p tcp --dport 995 -j ACCEPT

# accept ntp to time-server

iptables -A OUTPUT      -d ${ip_ntp} -p udp --dport 123 -j ACCEPT

# accept pings

iptables -A OUTPUT   -p icmp --icmp-type 8/0 -j ACCEPT

# accept whois

iptables -A OUTPUT      -p tcp --dport 43 -j ACCEPT

# accept and log ssh

iptables -A OUTPUT   -p tcp --dport 22 ${logit} "ACCEPT SSH "

iptables -A OUTPUT   -p tcp --dport 22 -j ACCEPT

# accept and log traceroute

iptables -A OUTPUT   -p udp --dport 33434:33524 ${logit} "ACCEPT TRCR "

iptables -A OUTPUT   -p udp --dport 33434:33524 -j ACCEPT

# .... ....

# reject and log all other

iptables -A OUTPUT   ${logit} "REJECT !!! "

iptables -A OUTPUT   -j REJECT

```

I hope it helps you.

Edit: P.S.: "!!!" is my search key in the log ...   :Wink: 

----------

## Dale__

Thanks, I'll have to study the script

one question, does a log come after or before a drop

----------

## Hu

LOG is a non-terminal target.  DROP is a terminal target.

----------

## mv

 *szatox wrote:*   

> no, but those who knock on the door by mistake seem to be relatively uncommon.

 

My experience is different: Especially with torrent & co., user's machines quite often act as a server and thus are requested.

It doesn't hurt to send a proper REJECT to politely asking machines.

As mentioned, I would not recommend to do this without a rate limit, but with a rate limit (more precisely, a hash limit on a per-host basis), it usually decreases the traffic compared to DROP.

Moreover, you do not shoot yourself in the foot when troubleshooting your network.

I recommend once more to take a  look at the firewall-mv script (or at least at the rules it generates). It has some more rate-limits, by default, e.g. for echo-reply and echo-request ICMP.

Moreover, by default, the script builds all rules with one command, thus avoiding possible races for successive "iptables -A"...

----------

## Dale__

just in case, how to I delete the rules in iptables and ip6tables?

----------

## charles17

 *Dale__ wrote:*   

> just in case, how to I delete the rules in iptables and ip6tables?

 

See man 8 iptables and search for --flush, --delete-chain and --zero

----------

