Arch Linux

msandahl

Member

From: South Carolina

Registered: 2009-10-15

Posts: 5

A firewall for a laptop

I am trying to decide the best solution for setting up a firewall on my laptop.  At home my network sits behind a router/firewall, but when I am out and about I would like to have some protection.  What is the best way to set up something that will provide the best security. If it matters, I'm running xfce.

fukawi2

Ex-Administratorino

From: .vic.au

Registered: 2007-09-28

Posts: 6,224

Website

Re: A firewall for a laptop

iptables

If you don't host anything on your laptop (ssh, apache etc) then it should be pretty simple:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP

---

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

miguimon

Member

From: Sydney

Registered: 2008-02-28

Posts: 37

Website

Re: A firewall for a laptop

I use this script for my laptop.

Hope it helps!

#!/bin/bash
#
# Firewall rules for laptop. Only connections are allowed out when turned on.
# 

# Function to set the file to one or zero.
enable () { for file in $@; do echo 1 > $file; done }
disable () { for file in $@; do echo 0 > $file; done }

######################################################################
function on {
    echo "Firewall: enabling filtering"
           
    #Use Selective ACK which can be used to signify that specific packets are missing.
    disable /proc/sys/net/ipv4/tcp_sack

    #If the kernel should attempt to forward packets. Off by default. Routers should enable.
    disable /proc/sys/net/ipv4/ip_forward

    #Protect against wrapping sequence numbers and in round trip time measurement.
    disable /proc/sys/net/ipv4/tcp_timestamps
   
    #Help against syn-flood DoS or DDoS attacks using particular choices of initial TCP sequence numbers.
    enable /proc/sys/net/ipv4/tcp_syncookies

    # Enable broadcast echo protection.
    enable /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    # Disable source routed packets.
    disable  /proc/sys/net/ipv4/conf/*/accept_source_route

    # Disable ICMP Redirect acceptance.
    disable /proc/sys/net/ipv4/conf/*/accept_redirects

    # Don't send Redirect messages.
    disable /proc/sys/net/ipv4/conf/*/send_redirects

    # Do not respond to packets that would cause us to go out
    # a different interface than the one to which we're responding.
    enable /proc/sys/net/ipv4/conf/*/rp_filter

    # Log packets with impossible addresses.
    enable /proc/sys/net/ipv4/conf/*/log_martians

    # Clear any previous rules.
    iptables -F
    iptables -F -t nat
    iptables -F -t mangle
    
    # Default drop policy.
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP

    # Allow anything over loopback.
    iptables -A INPUT  -i lo -s 127.0.0.1 -j ACCEPT
    iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

    # Drop any tcp packet that does not start a connection with a syn flag.
    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

    # Drop any invalid packet that could not be identified.
    iptables -A INPUT -m state --state INVALID -j DROP

    # Drop invalid packets.
    iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN              -j DROP
    iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST              -j DROP
    iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST              -j DROP
    iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN                  -j DROP
    iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG                  -j DROP

    # Reject broadcasts to 224.0.0.1
    iptables -A INPUT -d 224.0.0.0 -j REJECT

    # Allow TCP/UDP connections out. Keep state so conns out are allowed back in.
    iptables -A INPUT  -p tcp -m state --state ESTABLISHED     -j ACCEPT
    iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT  -p udp -m state --state ESTABLISHED     -j ACCEPT
    iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT

    # Allow ICMP out and anything that went out back in.
    iptables -A INPUT  -p icmp -m state --state ESTABLISHED      -j ACCEPT
    iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED  -j ACCEPT

    # Allow only ICMP echo requests (ping) in. Limit rate in. Uncomment if needed.
    #iptables -A INPUT  -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

    # Allow ssh connections in. Uncomment if needed.
    # iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -m limit --limit 1/s -j ACCEPT

    # Drop everything that did not match above and log it.
    iptables -A INPUT   -j LOG --log-level 4 --log-prefix "IPT_INPUT: "
    iptables -A INPUT   -j DROP
    iptables -A FORWARD -j LOG --log-level 4 --log-prefix "IPT_FORWARD: "
    iptables -A FORWARD -j DROP
    #iptables -A OUTPUT  -j LOG --log-level 4 --log-prefix "IPT_OUTPUT: "
    iptables -A OUTPUT  -j DROP

}
######################################################################
function off {
    # stop firewall
    echo "Firewall: disabling filtering (allowing all access)"
    iptables -F
    iptables -F -t nat
    iptables -F -t mangle
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
}
######################################################################
function stop {
    # stop all external connections
    echo "Firewall: stopping all external connections"
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -P INPUT DROP
    iptables -P FORWARD REJECT
    iptables -P OUTPUT REJECT

    # allow anything over loopback
    iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
    iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
}

case "$1" in
    start)
    on
    ;;
    stop)
    off
    ;;
    *)
    echo "$0 {start|stop|off}"
    echo "Start executes primary ruleset. Default is block all in and allow everything out."
    echo "Stop disables all filtering"
    echo "Off disables all non-loopback connections"
    ;;
esac

msandahl

Member

From: South Carolina

Registered: 2009-10-15

Posts: 5

Re: A firewall for a laptop

I'll have to give both of those a try. 
@miguimon: Do you run that script at startup, or do you start it up as needed?  When I am at home behind my router I don't think it would be necessary to run a firewall.  Am I correct in that thinking?

R00KIE

Forum Fellow

From: Between a computer and a chair

Registered: 2008-09-14

Posts: 4,734

Re: A firewall for a laptop

I have followed the wiki and adapted it a little for my needs (deluge, skype and msn ports), the rest was copied as it is in the wiki.

Here's how I have it right now (beware that I may have a big hole here without knowing it)

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X

## define 2 new chains
iptables -N interfaces
iptables -N apps_ports


## INPUT chain rules

# Make sure new connections are initiated with a SYN packet
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Drop packets with fragments
iptables -A INPUT -f -j DROP

# Drop XMAS packets and NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Drop any ping requests (also configured in /etc/sysctl.conf)
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

# Drop other bad icmp things :P
iptables -A INPUT -p icmp --icmp-type redirect -j DROP
iptables -A INPUT -p icmp --icmp-type router-advertisement -j DROP
iptables -A INPUT -p icmp --icmp-type router-solicitation -j DROP
iptables -A INPUT -p icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp --icmp-type address-mask-reply -j DROP

# Accept the remaining icmp packets (seems sane)
iptables -A INPUT -p icmp -j ACCEPT

# Accept packets of related and established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Open ports for some apps
iptables -A INPUT -j apps_ports

# Accept safe connections (loopback)
iptables -A INPUT -j interfaces


## interfaces chain
# Allow all traffic from localhost
iptables -A interfaces -i lo -j ACCEPT


## apps_ports chain
# Allow traffic for Deluge ports
iptables -A apps_ports -p tcp --dport 48400 -j ACCEPT
iptables -A apps_ports -p udp --dport 48400 -j ACCEPT

# Allow traffic for aMule ports
iptables -A apps_ports -p tcp --dport 20000 -j ACCEPT
iptables -A apps_ports -p udp --dport 20003 -j ACCEPT
iptables -A apps_ports -p udp --dport 20010 -j ACCEPT

# Allow traffic for Skype port
iptables -A apps_ports -p tcp --dport 25000 -j ACCEPT
iptables -A apps_ports -p udp --dport 25000 -j ACCEPT

# Allow traffic for aMSN ports
iptables -A apps_ports -p tcp --dport 1863:1870 -j ACCEPT

---

R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

quarkup

Member

From: Portugal

Registered: 2008-09-07

Posts: 497

Website

Re: A firewall for a laptop

yes the wiki has got some iptables and firewalling articles.

http://wiki.archlinux.org/index.php/Sim … wall_HOWTO
http://wiki.archlinux.org/index.php/Iptables

you got this also
http://wiki.archlinux.org/index.php/Firewalls

---

If people do not believe that mathematics is simple, it is only because they do not realize how complicated life is.
Simplicity is the ultimate sophistication.

miguimon

Member

From: Sydney

Registered: 2008-02-28

Posts: 37

Website

Re: A firewall for a laptop

@msandahl yeah I run this script at startup /etc/rc.local so then I don't need to worry or do it manually each time.

quarkup

Member

From: Portugal

Registered: 2008-09-07

Posts: 497

Website

Re: A firewall for a laptop

after using that script once you can simply use

(as root) # /etc/rc.d/iptables save

---

If people do not believe that mathematics is simple, it is only because they do not realize how complicated life is.
Simplicity is the ultimate sophistication.

Sjoden

Member

From: WA

Registered: 2007-08-16

Posts: 380

Website

Re: A firewall for a laptop

Make sure you put "iptables" in the daemons array of rc.conf 'before' "network" or "netcfg" or whatever you use. Fukawi2's post is probably the best to start with because it's easier to understand at first, and you can build from there what you need. Plus, there is nothing wrong with using a software firewall behind a router. I'd never run a computer without one, plus you don't really know what that router/firewall is doing, or how well its working.

---

website

chilebiker

Member

From: Zurich, Switzerland

Registered: 2006-07-18

Posts: 161

Re: A firewall for a laptop

Why not use "arno-iptables-firewall" from AUR?

---

Don't panic!

CPUnltd

Member

From: Milwaukee, WI

Registered: 2009-12-05

Posts: 483

Website

Re: A firewall for a laptop

I just can't get this working the way I want... I'm trying to set up protection on the livecd before installing or connecting to the net.  Am I wasting my time trying it this way?  I followed the iptables tutorial on the wiki and everything.  but when iptables is on, I can't connect to the repos... just not sure what I'm doing wrong.

---

Help grow the dev population... have your tech trained and certified!