in Security

Loading iptables rules on startup

By default iptables is setup on Debian etch but there are no rules configured. In this tutorial we’ll configure some rules and load them into iptables on startup.

1. Rules file

Create a new file that will contain a shell script to insert rules into iptables (pico /etc/firewall-rules.sh) and add this content as template:

#!/bin/sh
IPT="/sbin/iptables"

echo -n "Loading iptables rules..."

# Flush old rules
$IPT –flush
$IPT –delete-chain

# By default, drop everything except outgoing traffic
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Allow incoming and outgoing for loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# ICMP rules
$IPT -A INPUT -p icmp –icmp-type echo-reply -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type echo-request -m limit –limit 5/s -m state –state NEW -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type destination-unreachable -m state –state NEW -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type time-exceeded -m state –state NEW -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type timestamp-request -m state –state NEW -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type timestamp-reply -m state –state ESTABLISHED,RELATED -j ACCEPT

# Block new connections without SYN
$IPT -A INPUT -p tcp ! –syn -m state –state NEW -j DROP

# Allow established connections:
$IPT -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# SSH
$IPT -A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT

# HTTP
$IPT -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
$IPT -A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT

# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST
$IPT -A INPUT -p ip -f -j DROP
$IPT -A INPUT -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPT -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP

# Anti-spoofing rules
$IPT -A INPUT -s 200.200.200.200 -j DROP
$IPT -A INPUT -s 192.168.0.0/24 -j DROP
$IPT -A INPUT -s 127.0.0.0/8 -j DROP

echo “rules loaded.”
You can customize this file as required, check the iptables manual for parameters and options.

Change the permissions to make the file executable by root:

chown root /etc/firewall-rules.sh
chmod 700 /etc/firewall-rules.sh

2. Load rules shell script on startup

Add this line above the address line for your default network interface (pico /etc/network/interfaces):

pre-up /etc/firewall-rules.sh

Now, every time you start the network interfaces including restarting the system, iptables rules are reloaded.

Write a Comment

Comment

  1. also you can use startup script .you must copy your rules for example firewall.sh to /etc/init.d .the you must copy your rules which you are using runlevel . check “runlevel”
    command. if you are level 2 just like me .you must link your /etc/init.d to /etc/rc2.d

    ln -s /etc/init.d/firewall.sh /etc/rc2.d/S33frewall.sh

    then you must give this command

    update-rc.d /etc/init.d/firewall.sh defaults

    its done.your firewall script will be begin at startup.

  2. Why this “update-rc.d /etc/init.d/firewall.sh defaults ” if you did soft links into /etc/rc2.d???
    Folk, you are mixing two possible methods together ;o/

Webmentions

  • Recent Links Tagged With "icmp" - JabberTags November 7, 2010

    […] public links >> icmp Loading iptables rules on startup Saved by sailormoon6896 on Thu 09-4-2009 ICMP flood Saved by jrsweb99 on Thu 02-4-2009 ICMP to […]