rootninja

I still prefer a flat ascii file either loading the rules one at a time, or the built in iptables save/restore which basically does the same thing. But if you like/want/need a GUI application, then skip the lokkit firewall configuration tool in favor of system-config-firewall. It makes configuration of your firewall as easy as the simple Windows firewall, but with the option detail you expect from Linux.

I mentioned Lokkit because I just ran across a huge problem with it on another machine. I found it running with 100% utilization. I don’t know why it ended up in that state, but it didn’t die when the user stopped it and it’s probably not a good idea to configure a firewall on a system that you’re remotely connected to in the first place. What if you forget to allow ssh access when you apply the rules? What if it starts in a panic state with all traffic dropped or denied? It just doesn’t sound like a good idea to me!

You can set up something like this:

#! /bin/sh
iptables=/sbin/iptables

echo 1 > /proc/sys/net/ipv4/tcp_syncookies # prevent syn flood attack
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# set the default policies to DROP
$iptables -P INPUT   DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT  DROP

# drop broadcasts
$iptables -A INPUT -d 255.255.255.255 -j DROP
$iptables -A INPUT -d 192.168.255.255 -j DROP
$iptables -A INPUT -d 192.168.1.255   -j DROP
$iptables -A INPUT -d 10.255.255.255  -j DROP
$iptables -A INPUT -d 169.254.255.255 -j DROP

# drop well-known virus/port scanning attempts
$iptables -A INPUT -i ANY -m multiport -p tcp --dports 53,113,135,137,139,445 -j DROP
$iptables -A INPUT -i ANY -m multiport -p udp --dports 53,113,135,137,139,445 -j DROP
$iptables -A INPUT -i ANY -p udp --dport 1026 -j DROP
$iptables -A INPUT -i ANY -m multiport -p tcp --dports 1433,4899 -j DROP

# accept loopback
$iptables -A INPUT  -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

# accept ICMP packets up to a limit
$iptables -A INPUT -p icmp -m limit --limit 10/second -j ACCEPT
$iptables -A INPUT -p icmp -j DROP

# internet traffic
$iptables -A INPUT  -i ANY -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -j ACCEPT

# all a few specific public inbound ports
$iptables -A INPUT -i ANY -p tcp -m multiport --dports 25,80,143,443,993 -j ACCEPT

# accept ssh connections
$iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 60 --hitcount 5 --name SSH -j LOG
$iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 5 --name SSH -j DROP
$iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT

As easy as this:

If you’re paying attention to both the iptables script and the system-config-firewall screenshot, you’ll notice the rules are actually different. I know this! It’s just an example…