Iptables

From Mage
Jump to navigation Jump to search

A quick and dirty guide to iptables on Arch.

Building a Simple Stateful Firewall

vi /etc/iptables/iptables.rules

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

### Service rules

# Allow connections that are already established first.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Accept local traffic
-A INPUT -i lo -j ACCEPT

# Drop all packets with invalid headers or checksum
-A INPUT -m conntrack --ctstate INVALID -j DROP

### BAD ACTOR LIST ###
# Put IP ranges in here that you know you'll never ever want to connect to.

### /BAD ACTOR LIST ###

# Accept all new incoming ICMP echo requests, also known as pings
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

## Port opening
# enable SSH - LOCK THAT SUCKER DOWN.
-A INPUT -p tcp --dport 22 -j ACCEPT

# HTTPS Web Server
#-A INPUT -p tcp --dport 443 -j ACCEPT

# REJECT EVERYTHING ELSE
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

COMMIT


Start and enable the service

Start iptables

systemctl start iptables

This will start the iptables firewall service. Your SSH session shouldn't drop at this point unless you forgot a custom port declaration. Double check that you can establish new SSH connections now as it's much harder to diagnose without an open terminal.


Enable iptables

Once you're sure you aren't going to lock yourself out, enable the iptables service to start at boot: 

systemctl enable iptables
Retrieved from "https://mage.cynop.me/index.php?title=Iptables&oldid=485"