Ástþór IPIn this tutorial we’ll install the Debian Linux 9 (squeeze), Apache 2 with mpm-itk (to run each web as a isolated user),...
Loading iptables rules on startup
admin
By default iptables is setup on Debian etch but there are no rules configured. In this tutorial we’ll configure some rules and load them into iptables on startup.
1. Rules file
Create a new file that will contain a shell script to insert rules into iptables (pico /etc/firewall-rules.sh) and add this content as template:
#!/bin/sh
IPT="/sbin/iptables"
echo -n "Loading iptables rules..."
# Flush old rules
$IPT –flush
$IPT –delete-chain
# By default, drop everything except outgoing traffic
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# Allow incoming and outgoing for loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# ICMP rules
$IPT -A INPUT -p icmp –icmp-type echo-reply -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type echo-request -m limit –limit 5/s -m state –state NEW -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type destination-unreachable -m state –state NEW -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type time-exceeded -m state –state NEW -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type timestamp-request -m state –state NEW -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type timestamp-reply -m state –state ESTABLISHED,RELATED -j ACCEPT
# Block new connections without SYN
$IPT -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
# Allow established connections:
$IPT -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
# SSH
$IPT -A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT
# HTTP
$IPT -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
$IPT -A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT
# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST
$IPT -A INPUT -p ip -f -j DROP
$IPT -A INPUT -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPT -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
# Anti-spoofing rules
$IPT -A INPUT -s 200.200.200.200 -j DROP
$IPT -A INPUT -s 192.168.0.0/24 -j DROP
$IPT -A INPUT -s 127.0.0.0/8 -j DROP
echo “rules loaded.”
You can customize this file as required, check the iptables manual for parameters and options.
Change the permissions to make the file executable by root:
chown root /etc/firewall-rules.sh
chmod 700 /etc/firewall-rules.sh
2. Load rules shell script on startup
Add this line above the address line for your default network interface (pico /etc/network/interfaces):
pre-up /etc/firewall-rules.sh
Now, every time you start the network interfaces including restarting the system, iptables rules are reloaded.
Comments
3
-
Posted on
fantasio
also you can use startup script .you must copy your rules for example firewall.sh to /etc/init.d .the you must copy your rules which you are using runlevel . check “runlevel”
command. if you are level 2 just like me .you must link your /etc/init.d to /etc/rc2.dln -s /etc/init.d/firewall.sh /etc/rc2.d/S33frewall.sh
then you must give this command
update-rc.d /etc/init.d/firewall.sh defaults
its done.your firewall script will be begin at startup.
-
Posted on
Woky
Why this “update-rc.d /etc/init.d/firewall.sh defaults ” if you did soft links into /etc/rc2.d???
Folk, you are mixing two possible methods together ;o/
