With these rules you are able to protect yourself a tiny bit
- You are able to do open website in your browser or terminal
- You are able to reviece and send mails with e. g. Thunderbird
- You are able to ping any device you want from you machine
- You are able to connect yourself to a remote secure shell
- You are able to retrieve a dhcp lease from your router
- You are able to do whois queries from you terminal
Create a script file e. g. vim iptables.sh
#!/bin/bash
# Setting up default kernel tunings here
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# DROP source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Do not ACCEPT ICMP redirect
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send ICMP redirect
echo 0 >/proc/sys/net/ipv4/conf/all/send_redirects
# Enable source spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Log impossible (martian) packets
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Flush all existing chains
iptables --flush
iptables --delete-chain
# Allow traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Creating default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow previously established connections to continue uninterupted
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow outbound connections on the ports
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT #SSH
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT #SMTP
iptables -A OUTPUT -p tcp --dport 43 -j ACCEPT #WHOIS
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT #DNS
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT #HTTP
iptables -A OUTPUT -p udp --dport 67:68 -j ACCEPT #DHCP
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT #DNS
iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT #POP
iptables -A OUTPUT -p tcp --dport 143 -j ACCEPT #IMAP
iptables -A OUTPUT -p tcp --dport 465 -j ACCEPT #SSMTP
iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT #Submission
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT #HTTPS
iptables -A OUTPUT -p tcp --dport 995 -j ACCEPT #POPS
iptables -A OUTPUT -p tcp --dport 993 -j ACCEPT #IMAPS
# Allow outgoing ping request
iptables -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log dropped packets
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "ipables-dropped: " --log-level 4
iptables -A LOGGING -j DROP
# Save rules
iptables-save > /etc/iptables.rules
Then make the script executable
sudo chmod +x iptables.sh
Now run the script once
sudo ./iptables.sh
Create a file in /etc/network/if-pre-up.d
e. g. vim iptables
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.rules
Then make the script executable
sudo chmod +x iptables.sh
Now your rules will be there after you reboot your machine