You are not logged in.
I am trying to decide the best solution for setting up a firewall on my laptop. At home my network sits behind a router/firewall, but when I am out and about I would like to have some protection. What is the best way to set up something that will provide the best security. If it matters, I'm running xfce.
Offline
iptables
If you don't host anything on your laptop (ssh, apache etc) then it should be pretty simple:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
I use this script for my laptop.
Hope it helps!
#!/bin/bash
#
# Firewall rules for laptop. Only connections are allowed out when turned on.
#
# Function to set the file to one or zero.
enable () { for file in $@; do echo 1 > $file; done }
disable () { for file in $@; do echo 0 > $file; done }
######################################################################
function on {
echo "Firewall: enabling filtering"
#Use Selective ACK which can be used to signify that specific packets are missing.
disable /proc/sys/net/ipv4/tcp_sack
#If the kernel should attempt to forward packets. Off by default. Routers should enable.
disable /proc/sys/net/ipv4/ip_forward
#Protect against wrapping sequence numbers and in round trip time measurement.
disable /proc/sys/net/ipv4/tcp_timestamps
#Help against syn-flood DoS or DDoS attacks using particular choices of initial TCP sequence numbers.
enable /proc/sys/net/ipv4/tcp_syncookies
# Enable broadcast echo protection.
enable /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable source routed packets.
disable /proc/sys/net/ipv4/conf/*/accept_source_route
# Disable ICMP Redirect acceptance.
disable /proc/sys/net/ipv4/conf/*/accept_redirects
# Don't send Redirect messages.
disable /proc/sys/net/ipv4/conf/*/send_redirects
# Do not respond to packets that would cause us to go out
# a different interface than the one to which we're responding.
enable /proc/sys/net/ipv4/conf/*/rp_filter
# Log packets with impossible addresses.
enable /proc/sys/net/ipv4/conf/*/log_martians
# Clear any previous rules.
iptables -F
iptables -F -t nat
iptables -F -t mangle
# Default drop policy.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow anything over loopback.
iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
# Drop any tcp packet that does not start a connection with a syn flag.
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Drop any invalid packet that could not be identified.
iptables -A INPUT -m state --state INVALID -j DROP
# Drop invalid packets.
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
# Reject broadcasts to 224.0.0.1
iptables -A INPUT -d 224.0.0.0 -j REJECT
# Allow TCP/UDP connections out. Keep state so conns out are allowed back in.
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow ICMP out and anything that went out back in.
iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow only ICMP echo requests (ping) in. Limit rate in. Uncomment if needed.
#iptables -A INPUT -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Allow ssh connections in. Uncomment if needed.
# iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -m limit --limit 1/s -j ACCEPT
# Drop everything that did not match above and log it.
iptables -A INPUT -j LOG --log-level 4 --log-prefix "IPT_INPUT: "
iptables -A INPUT -j DROP
iptables -A FORWARD -j LOG --log-level 4 --log-prefix "IPT_FORWARD: "
iptables -A FORWARD -j DROP
#iptables -A OUTPUT -j LOG --log-level 4 --log-prefix "IPT_OUTPUT: "
iptables -A OUTPUT -j DROP
}
######################################################################
function off {
# stop firewall
echo "Firewall: disabling filtering (allowing all access)"
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
}
######################################################################
function stop {
# stop all external connections
echo "Firewall: stopping all external connections"
iptables -F INPUT
iptables -F OUTPUT
iptables -P INPUT DROP
iptables -P FORWARD REJECT
iptables -P OUTPUT REJECT
# allow anything over loopback
iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
}
case "$1" in
start)
on
;;
stop)
off
;;
*)
echo "$0 {start|stop|off}"
echo "Start executes primary ruleset. Default is block all in and allow everything out."
echo "Stop disables all filtering"
echo "Off disables all non-loopback connections"
;;
esac
Offline
I'll have to give both of those a try.
@miguimon: Do you run that script at startup, or do you start it up as needed? When I am at home behind my router I don't think it would be necessary to run a firewall. Am I correct in that thinking?
Offline
I have followed the wiki and adapted it a little for my needs (deluge, skype and msn ports), the rest was copied as it is in the wiki.
Here's how I have it right now (beware that I may have a big hole here without knowing it)
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
## define 2 new chains
iptables -N interfaces
iptables -N apps_ports
## INPUT chain rules
# Make sure new connections are initiated with a SYN packet
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Drop packets with fragments
iptables -A INPUT -f -j DROP
# Drop XMAS packets and NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Drop any ping requests (also configured in /etc/sysctl.conf)
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# Drop other bad icmp things :P
iptables -A INPUT -p icmp --icmp-type redirect -j DROP
iptables -A INPUT -p icmp --icmp-type router-advertisement -j DROP
iptables -A INPUT -p icmp --icmp-type router-solicitation -j DROP
iptables -A INPUT -p icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp --icmp-type address-mask-reply -j DROP
# Accept the remaining icmp packets (seems sane)
iptables -A INPUT -p icmp -j ACCEPT
# Accept packets of related and established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Open ports for some apps
iptables -A INPUT -j apps_ports
# Accept safe connections (loopback)
iptables -A INPUT -j interfaces
## interfaces chain
# Allow all traffic from localhost
iptables -A interfaces -i lo -j ACCEPT
## apps_ports chain
# Allow traffic for Deluge ports
iptables -A apps_ports -p tcp --dport 48400 -j ACCEPT
iptables -A apps_ports -p udp --dport 48400 -j ACCEPT
# Allow traffic for aMule ports
iptables -A apps_ports -p tcp --dport 20000 -j ACCEPT
iptables -A apps_ports -p udp --dport 20003 -j ACCEPT
iptables -A apps_ports -p udp --dport 20010 -j ACCEPT
# Allow traffic for Skype port
iptables -A apps_ports -p tcp --dport 25000 -j ACCEPT
iptables -A apps_ports -p udp --dport 25000 -j ACCEPT
# Allow traffic for aMSN ports
iptables -A apps_ports -p tcp --dport 1863:1870 -j ACCEPT
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline
yes the wiki has got some iptables and firewalling articles.
http://wiki.archlinux.org/index.php/Sim … wall_HOWTO
http://wiki.archlinux.org/index.php/Iptables
you got this also
http://wiki.archlinux.org/index.php/Firewalls
If people do not believe that mathematics is simple, it is only because they do not realize how complicated life is.
Simplicity is the ultimate sophistication.
Offline
@msandahl yeah I run this script at startup /etc/rc.local so then I don't need to worry or do it manually each time.
Offline
after using that script once you can simply use
(as root) # /etc/rc.d/iptables save
If people do not believe that mathematics is simple, it is only because they do not realize how complicated life is.
Simplicity is the ultimate sophistication.
Offline
Make sure you put "iptables" in the daemons array of rc.conf 'before' "network" or "netcfg" or whatever you use. Fukawi2's post is probably the best to start with because it's easier to understand at first, and you can build from there what you need. Plus, there is nothing wrong with using a software firewall behind a router. I'd never run a computer without one, plus you don't really know what that router/firewall is doing, or how well its working.
Offline
Why not use "arno-iptables-firewall" from AUR?
Don't panic!
Offline
I just can't get this working the way I want... I'm trying to set up protection on the livecd before installing or connecting to the net. Am I wasting my time trying it this way? I followed the iptables tutorial on the wiki and everything. but when iptables is on, I can't connect to the repos... just not sure what I'm doing wrong.
Help grow the dev population... have your tech trained and certified!
Offline