Skip to content

Instantly share code, notes, and snippets.

@p3t3r67x0

p3t3r67x0/iptables_ubuntu.md

Last active September 3, 2017 23:40
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save p3t3r67x0/57a8df9ef481a2b93bfcd9428d774b6a to your computer and use it in GitHub Desktop.
Save p3t3r67x0/57a8df9ef481a2b93bfcd9428d774b6a to your computer and use it in GitHub Desktop.
Download ZIP
Iptables for Ubuntu Desktop 16.04 with default DROP policy
Raw
iptables_ubuntu.md

Iptables for Ubuntu Desktop 16.04

With these rules you are able to protect yourself a tiny bit

  • You are able to do open website in your browser or terminal
  • You are able to reviece and send mails with e. g. Thunderbird
  • You are able to ping any device you want from you machine
  • You are able to connect yourself to a remote secure shell
  • You are able to retrieve a dhcp lease from your router
  • You are able to do whois queries from you terminal

Create your firewall rules

Create a script file e. g. vim iptables.sh

#!/bin/bash

# Setting up default kernel tunings here
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# DROP source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Do not ACCEPT ICMP redirect
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect 
echo 0 >/proc/sys/net/ipv4/conf/all/send_redirects

# Enable source spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log impossible (martian) packets
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Flush all existing chains
iptables --flush
iptables --delete-chain

# Allow traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Creating default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow previously established connections to continue uninterupted
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow outbound connections on the ports
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT #SSH
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT #SMTP
iptables -A OUTPUT -p tcp --dport 43 -j ACCEPT #WHOIS
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT #DNS
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT #HTTP
iptables -A OUTPUT -p udp --dport 67:68 -j ACCEPT #DHCP
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT #DNS
iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT #POP
iptables -A OUTPUT -p tcp --dport 143 -j ACCEPT #IMAP
iptables -A OUTPUT -p tcp --dport 465 -j ACCEPT #SSMTP
iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT #Submission
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT #HTTPS
iptables -A OUTPUT -p tcp --dport 995 -j ACCEPT #POPS
iptables -A OUTPUT -p tcp --dport 993 -j ACCEPT #IMAPS

# Allow outgoing ping request
iptables -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log dropped packets 
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "ipables-dropped: " --log-level 4
iptables -A LOGGING -j DROP

# Save rules
iptables-save > /etc/iptables.rules

Then make the script executable

sudo chmod +x iptables.sh

Now run the script once

sudo ./iptables.sh

Make you rules persistent

Create a file in /etc/network/if-pre-up.d e. g. vim iptables

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.rules

Then make the script executable

sudo chmod +x iptables.sh

Now your rules will be there after you reboot your machine

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment