Guitars, Paramedics, Linux, and Me

December 4, 2006

Fedora Core 6: Laptop Iptables Firewall

Filed under: Linux — S. Kindley @ 12:15 am
Tags: ,

I’ve been securing my Fedora Core 6 laptop installation a bit lately and decided to post about a simple iptables firewall I am currently using. When I travel I rely on wifi hotspots located in airports, service plazas, and travel centers throughout the U.S.

Since I primarily use this laptop for communication and occasional programming/administration work while on the road my requirements are rather simple. I want to block most incoming traffic.

I occassionally need to allow http, https, ssh, and bittorrent ports opened for external access. Everything else should be blocked.

I first edited /etc/sysconfig/iptables-config to change all “no” entries to “yes” excpet for the IPTABLES_STATUS_VERBOSE entry which I left set to “no”. Then I restarted the iptables service with service iptables restart.

As root I hand entered my iptables rules and checked that they were indeed listed by running iptables -L.


[root@dev ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpts:6880:6889 state NEW
ACCEPT udp -- anywhere anywhere udp dpts:6880:6889 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW
LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `[IPTABLES] : '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@dev ~]#

I’ve never used the built in firewall tools available in the GUI. I prefer to do it manually. This is probably a “left-over-preference” from years of CLI experience. So there are many, many other options available to a Fedora Core 6 user. This is the method I know and prefer.

After entering my iptables rules I made sure to save them using an often overlooked command called iptables-save.

To save my rules I issued:

/sbin/iptables-save > /etc/sysconfig/iptables

Followed by:

/sbin/iptables-restore < /etc/sysconfig/iptables and restarted the iptables service with service iptables restart to make sure the rules would be reloaded automatically.

One could take the contents of my /etc/sysconfig/iptables file and use the iptables-restore command to implement them as well.

***
My /etc/sysconfig/iptables file
***

# Generated by iptables-save v1.3.5 on Sun Dec 3 02:27:23 2006
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1145:897437]
[0:0] -A INPUT -i ! eth1 -j ACCEPT
[0:0] -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp –dport 6880:6889 -m state –state NEW -j ACCEPT
[0:0] -A INPUT -p udp -m udp –dport 6880:6889 -m state –state NEW -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp –dport 443 -m state –state NEW -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp –dport 80 -m state –state NEW -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp –dport 22 -m state –state NEW -j ACCEPT
[0:0] -A INPUT -i eth1 -j LOG –log-prefix “[IPTABLES] : ” –log-tcp-sequence –log-tcp-options –log-ip-options
[0:0] -A INPUT -i eth1 -p tcp -j REJECT –reject-with tcp-reset
[0:0] -A INPUT -i eth1 -p udp -j REJECT –reject-with icmp-port-unreachable
COMMIT
# Completed on Sun Dec 3 02:27:23 2006
# Generated by iptables-save v1.3.5 on Sun Dec 3 02:27:23 2006
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sun Dec 3 02:27:23 2006

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: