The Best guide for learning the basics of iptables is here Linux 2.4 Stateful firewall design for the most part it continues to apply to the 2.6 kernel. The only things that won’t apply to your linux system will be: emerge if you aren’t on gentoo, and the kernel options which have changed since 2.4 and even a couple of times during 2.6.
I’m not going to cover those here. If you need help building your kernel or installing
iptables I suggest that you
consult with either the iptables home page or even better your distribution. Chances are it is already installed, and
may even be configured.
First Let’s see if we have any rules.
The following commands require root access, and can be run in a root shell, with sudo, or in a shell script by root
iptables -L -v
your output should look something like this if you have no rules
Chain INPUT (policy ACCEPT 211 packets, 27413 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 312 packets, 211K bytes) pkts bytes target prot opt in out source destination
If it looks different no worries it just means that your distro has already installed rules.
If so make sure before continuing to flush them. First check to make sure your policies are set to accept (you can see that in caps above) if they are anything else run
iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT
now that your policies are clean you should flush the rules
iptables -F # flush all rules iptables -X # delete all chains
all right now hopefully you are at a clean state. If you have ever used
iptables for nat you may not be, but that is
beyond the scope of this article.
Now we need to create rules, since this is for normal desktop users you shouldn’t have any services listening, also you shouldn’t be routing anything.
To disable routing with
iptables (I’m ignoring the kernel setting for this)
iptables -P FORWARD DROP # Set all forwarded packets to go bye bye if they reach the end of the chain.
The output chain is good on accept for the normal user, only a masochist would want to write rules for it. You generally should trust your outbound traffic.
Now to secure input
iptables -A INPUT -m state --state INVALID -j DROP # This rule drops all packets with a bad state iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # accept any packets that have something to do with ones we've sent on outbound iptables -A INPUT -i lo -j ACCEPT # accept any packets coming or going on localhost (this can be very important iptables -P INPUT DROP # set all packets not matching these rules to drop
Various linux distro’s may require you to do something special to save these rules so that they survive a reboot. Consult your distributions community.
If you have rules that you want to keep but also want to use mine I suggest putting mine first, you should do the
rules in reverse but use a
-I for insert.
When dealing with iptables always take care when applying
iptables -P DROP. You can be locked out of the machine or
the internet if you apply this without the appropriate rules in place.
That’s it. your desktop should be secure from an attacker that you aren’t allowing in. There are of course other things that you can do to make it even more secure but those are beyond the scope of this tutorial.