# [IpTables] Improving my rules (solved)

## Occasus

Hello.

First, I'm a total noob to iptables, so if you see some horrible rules, please don't be shocked.  :Laughing: 

This is my config file:

```
# /etc/conf.d/iptables

# Location in which iptables initscript will save set rules on 

# service shutdown

IPTABLES_SAVE="/var/lib/iptables/rules-save"

# Options to pass to iptables-save and iptables-restore 

SAVE_RESTORE_OPTIONS="-c"

# Save state on stopping iptables

SAVE_ON_STOP="yes"

# Flush

iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

iptables -t mangle -F

iptables -t mangle -X

# Drop policy

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP

# Allow loopback access

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

# Allow established connections:

iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow ping

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

# Allow DNS

iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

# Allow http/https

iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

# Allow NTP

iptables -A OUTPUT -p udp --dport 123 -j ACCEPT

# Allow rsync/git

iptables -A OUTPUT -p tcp --dport 873 -j ACCEPT

iptables -A OUTPUT -p tcp --dport 9418 -j ACCEPT

# Allow IRC

iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT

# Allow etpro

iptables -A OUTPUT -p udp --dport 27900:27999 -j ACCEPT

# Allow Warsow

iptables -A OUTPUT -p udp --dport 44400 -j ACCEPT

# Allow whois

iptables -A OUTPUT -p tcp --dport 43 -j ACCEPT

# Allow aMule

iptables -A OUTPUT -p tcp --dport 4661 -j ACCEPT

iptables -A INPUT  -p tcp --dport 4662 -j ACCEPT

iptables -A INPUT  -p udp --dport 4665 -j ACCEPT

iptables -A INPUT  -p udp --dport 4672 -j ACCEPT

iptables -A OUTPUT -p tcp --dport 4662 -j ACCEPT

iptables -A OUTPUT -p udp --dport 4665 -j ACCEPT

iptables -A OUTPUT -p udp --dport 4672 -j ACCEPT

# Allow torrents

iptables -A INPUT  -p tcp --dport 6890:6999 -j ACCEPT

iptables -A INPUT  -p udp --dport 6890:6999 -j ACCEPT

iptables -A OUTPUT -p tcp --dport 6890:6999 -j ACCEPT

iptables -A OUTPUT -p udp --dport 6890:6999 -j ACCEPT

iptables -A OUTPUT -p tcp --dport 6969      -j ACCEPT

iptables -A OUTPUT -p udp --dport 6969      -j ACCEPT

# Allow Sopcast

#iptables -A OUTPUT -p tcp --dport 8800 -j ACCEPT

#iptables -A OUTPUT -p udp --dport 8800 -j ACCEPT

#iptables -A INPUT  -p tcp --dport 8800 -j ACCEPT

#iptables -A INPUT  -p udp --dport 8800 -j ACCEPT

# Allow streaming

iptables -A OUTPUT -p tcp --dport 1755 -j ACCEPT

# Block wankers

iptables -A INPUT -s 86.67.193.178 -j DROP

iptables -A OUTPUT -s 86.67.193.178 -j DROP
```

The section below aMule is really horrible. Even though I've left those port open, I am still having trouble with torrents, aMule and Sopcast. A lot of peers get blocked with my firewall rules.

And I'd really like to have some kind of logging...I tried adding some rules, but they don't work.

----------

## frostschutz

Blocking icmp is not something you should do unless you know really well what you are doing. Just add a logging rule at the end of each chain to see what will be dropped by your default policy. I suggest you scrap that idea altogether and just live without a default drop policy firewall. If you're going to have tons of open ports and even port ranges all of this is pretty much useless anyway.

----------

## jagomai

DISCLAIMER: I don't know anything.

Having the default drop policy is fine, I think, but to make things simpler you could:

```

-A OUTPUT -o eth0 -j ACCEPT

-A OUTPUT -s 127.0.0.1 -j ACCEPT

-A OUTPUT -j LOG --log-prefix "OUTPUT - DROPPED - : "

-A OUTPUT -j DROP

```

 :Cool: 

Actually, some packages are dropped by output anyways for some reason.

If you don't do this, things get annoying.. You have to specify ports for every application you use (as you have done). 

And can you, for example, edit a torrent-programs output ports? Are these the same as the "listening ports"? Are they the same for all programs? What about various IM-clients and file-transfers within the various IM protocols?

What about certain Java-applets within Firefox that require their own output ports? (some chess sites use this)

It's much easier to let everything that originates from your box go through, and just open up ports for new connections from the outside for the various services you use (listening ports for torrent app, ssh, IM file transfer, etc).. 

Besides, if something you don't know about is sending information out from your box of its own volition, well then I think you've already screwed up big time.

----------

## Occasus

jagomai, I've added your rules to my config.

I confess I turned the firewall off when it was blocking useful packets. But I guess a not so strict firewall is better than no firewall.  :Rolling Eyes: 

I reckon that if you don't know how networking works in detail, you'll never be able to properly configure iptables.

----------

## jagomai

Yeah. And, well, if you drop all new input-connections (except those you need), you are pretty tightly sealed up..

I don't think you need to know everything about networking, just some of it. There's a descriptive iptables tutorial here, if you ever become interested.

----------

## mimosinnet

I have used this tutorial in the gentoo wiki to setup my firewall, and it is working quite well. I have added these lines:

```
# Accepta l'Amule

iptables -A INPUT -p tcp --dport 4662 -j ACCEPT

iptables -A INPUT -p udp --dport 4665 -j ACCEPT

iptables -A INPUT -p udp --dport 4672 -j ACCEPT
```

To accept connections from Amule. 

Cheers!

----------

## jcat

The basic general rule of firewalling is _Block Everything_, then enable holes one at a time as they are needed.  When you do open up holes in the firewall for a particular reason, always ask yourself if there is a way to tighten this rule slightly.  Think about source and destination IP's and interfaces etc..  ..and always test!  (using port scanners etc)

Cheers,

jcat

----------

