minimal iptables ruleset for laptop

minimal iptables ruleset for laptop

[Volkm@r]

Sorry for this newbie question - I'm just learning about iptables.

What I have is a laptop that I want to protect against external
intrusion. Relevant interfaces are

- eth0, which is LAN and sometimes DHCP sometimes pppoe
- eth1, which is WLAN and sometimes behind my private AP
        and sometimes behind company's or public APs

Of course, this laptop would never have to act as a router.
I want to prevent any external intrusion but be able to connect myself
to any external service. AND I want to be able to run some services
(X11, CUPS, Tomcat,...) just for myself.

From somewhere on the internet I got the following snippet which I think
may be suitable for ppp0 as the only interface. But I couldn't find out
how to change it for my needs.

-------------------------------------------------------------------------
# Generated by iptables-save v1.2.11 on Mon May 23 15:54:20 2005
*filter
:INPUT ACCEPT [10502:1065067]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1529512:141800679]
:block - [0:0]
-A INPUT -j block
-A FORWARD -j block
-A block -m state --state RELATED,ESTABLISHED -j ACCEPT
-A block -i ! ppp0 -m state --state NEW -j ACCEPT
-A block -j DROP
COMMIT
# Completed on Mon May 23 15:54:20 2005
-------------------------------------------------------------------------

Any help will be much appreciated.
-- 
Volkm@r

Re: minimal iptables ruleset for laptop

[Georgi Alexandrov]

Volkm@r wrote:

>Sorry for this newbie question - I'm just learning about iptables.
>
>What I have is a laptop that I want to protect against external
>intrusion. Relevant interfaces are
>
>- eth0, which is LAN and sometimes DHCP sometimes pppoe
>- eth1, which is WLAN and sometimes behind my private AP
>        and sometimes behind company's or public APs
>
>Of course, this laptop would never have to act as a router.
>I want to prevent any external intrusion but be able to connect myself
>to any external service. AND I want to be able to run some services
>(X11, CUPS, Tomcat,...) just for myself.
>
>>From somewhere on the internet I got the following snippet which I think
>may be suitable for ppp0 as the only interface. But I couldn't find out
>how to change it for my needs.
>
>-------------------------------------------------------------------------
># Generated by iptables-save v1.2.11 on Mon May 23 15:54:20 2005
>*filter
>:INPUT ACCEPT [10502:1065067]
>:FORWARD ACCEPT [0:0]
>:OUTPUT ACCEPT [1529512:141800679]
>:block - [0:0]
>-A INPUT -j block
>-A FORWARD -j block
>-A block -m state --state RELATED,ESTABLISHED -j ACCEPT
>-A block -i ! ppp0 -m state --state NEW -j ACCEPT
>-A block -j DROP
>COMMIT
># Completed on Mon May 23 15:54:20 2005
>-------------------------------------------------------------------------
>
>Any help will be much appreciated.
>  
>
something like this:

######################### start ###########################

iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset

############################# end #################################

I think the above ruleset is sufficient. If you have any questions about 
it - just ask.

regards,
Georgi Alexandrov

Re: minimal iptables ruleset for laptop

[Volkm@r]

Georgi Alexandrov wrote:
> something like this:
> 
> ######################### start ###########################
> 
> iptables -F
> iptables -X
> iptables -Z
> iptables -t nat -F
> iptables -t nat -X
> iptables -t nat -Z
> iptables -t mangle -F
> iptables -t mangle -X
> iptables -t mangle -Z
> 
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
> 
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
> iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset
> 
> ############################# end #################################
> 
> I think the above ruleset is sufficient. If you have any questions about
> it - just ask.
> 
> regards,
> Georgi Alexandrov
> 
> 

Hi Georgi,
Thanks a lot for your fast response. Now it looks much easier to
understand. Now I have two more questions.

1. What is the advantage of putting those "-p icmp" rules?
2. How could I add logging (fore some time, to see what's going on)?

Thanks again
Volkm@r

Re: minimal iptables ruleset for laptop

[Georgi Alexandrov]

Volkm@r wrote:

>Georgi Alexandrov wrote:
>  
>
>>something like this:
>>
>>######################### start ###########################
>>
>>iptables -F
>>iptables -X
>>iptables -Z
>>iptables -t nat -F
>>iptables -t nat -X
>>iptables -t nat -Z
>>iptables -t mangle -F
>>iptables -t mangle -X
>>iptables -t mangle -Z
>>
>>iptables -P INPUT DROP
>>iptables -P FORWARD DROP
>>iptables -P OUTPUT ACCEPT
>>
>>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>iptables -A INPUT -i lo -j ACCEPT
>>iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
>>iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
>>iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
>>iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset
>>
>>############################# end #################################
>>
>>I think the above ruleset is sufficient. If you have any questions about
>>it - just ask.
>>
>>regards,
>>Georgi Alexandrov
>>
>>
>>    
>>
>
>Hi Georgi,
>Thanks a lot for your fast response. Now it looks much easier to
>understand. Now I have two more questions.
>
>1. What is the advantage of putting those "-p icmp" rules?
>2. How could I add logging (fore some time, to see what's going on)?
>
>Thanks again
>Volkm@r
>
>
>
>  
>
About the ICMP - it's good (my opinion) to let at least those three icmp 
types so we have proper network functions.
reference:  http://www.faqs.org/docs/iptables/icmptypes.html

About the logging - If you want for example to log all the auth requests 
(tcp/113) made to your machine, we will put the following rule above the 
-j REJECT one:

iptables -A INPUT -p tcp --syn --dport 113 -j LOG --log-prefix "Auth Request"
iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset


This way we will have all auth requests logged and then rejected.
You can examine the example rc.firewall script at 
iptables-tutorial.frozentux.net for some more logging examples.

regards,
Georgi Alexandrov

Re: minimal iptables ruleset for laptop

[Volkm@r]

Georgi Alexandrov wrote:
> [...]
> About the ICMP - it's good (my opinion) to let at least those three icmp
> types so we have proper network functions.
> reference:  http://www.faqs.org/docs/iptables/icmptypes.html
> 
> About the logging - If you want for example to log all the auth requests
> (tcp/113) made to your machine, we will put the following rule above the
> -j REJECT one:
> 
> iptables -A INPUT -p tcp --syn --dport 113 -j LOG --log-prefix "Auth
> Request"
> iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with
> tcp-reset
> 
Well, that's exactly what I needed.

> 
> This way we will have all auth requests logged and then rejected.
> You can examine the example rc.firewall script at
> iptables-tutorial.frozentux.net for some more logging examples.
> 
> regards,
> Georgi Alexandrov
> 
> 
Thanks for the references. I'm going to them more carefully.
-- 
Volkm@r