After spending some time locking down my linux firewall, I thought I'd share my iptables list. Its probably not complete and probably has a few errors in it, so feedback welcome.

I basically allow anything on my network to use the services, but only the services I specify. I only allow my work's IP address access via SSH and everything else (bit torrent client, vnc etc) tunnel across ssh. This means the connection from my work desktop to my home server is across a encrypted line. VNC normally does not encrypt the connection. I use puTTY on my work's desktop to set up the ssh link. Another guy at work uses Hamachi, but I couldn't get that working properly.

I have the bittorrent port and port 22 for SSH open on the router/NAT and they are port forwarded to the linux machine.

I have a file which is commented so I know why I did things and which ports relate to which service.

I then use
# iptables-restore < iptables.base
This loads in the changes


cat iptables.base

*filter
:INPUT ACCEPT [19422:4819133]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10064:2038008]
# Only the following sources are allowed to connect to the server
#-s 213.xxx.xxx.xxx # Work's External IP
#-s 192.168.1.0/255.255.255.0 # internal network
#

# Accept local connect traffic through 127.0.0.1
-A INPUT -i lo -j ACCEPT

# Allow established and related connections through
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Brute force prevention - prevents more than two SSH connections per minute to slow down SSH scans
-A INPUT -p tcp --dport 22 -m recent --update --hitcount 2 --seconds 60 --name SSHIN -j REJECT
-A INPUT -p tcp --dport 22 -m recent --set --name SSHIN -j ACCEPT

# Allow ftp access from local hosts only
#-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m multiport --dports 20,21 -j ACCEPT
#-A OUTPUT -s 192.168.1.0/255.255.255.0 -p tcp -m multiport --dports 20,21 -j ACCEPT

# Allow samba access for the allowed hosts
-A INPUT -s 192.168.1.0/255.255.255.0 -p udp -m multiport --dports 137,138 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m multiport --dports 139,145 -j ACCEPT

# Allow ssh from allowed hosts only
-A INPUT -s 213.xxx.xxx.xxx -p tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 22 -j ACCEPT

# Allow itunes (bonjour) for local traffic only
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 3689 -j ACCEPT
-A OUTPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 3689 -j ACCEPT

# Allow twonky for local traffic only
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 9000 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -p udp -m multiport --dports 1030,1900,9080 -j ACCEPT
-A OUTPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 9000 -j ACCEPT
-A OUTPUT -s 192.168.1.0/255.255.255.0 -p udp -m multiport --dports 1030,1900,9080 -j ACCEPT

# Allow VNC from selected hosts
-A INPUT -s 5.0.0.0/255.0.0.0 -p tcp -m multiport --dports 5900,5901 -i ham0 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m multiport --dports 5900,5901 -j ACCEPT

# Allow DNS lookups out
-A OUTPUT -p udp --dport 53 -j ACCEPT

# Allow web browsing from this server
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

# Allow MLdonkey connections from a GUI from allowed hosts only
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 4001 -j ACCEPT
# for now dont allow the http connection on 4080

# open the bitTorent incoming port
-A INPUT -p tcp -m multiport --dports 6881,6882 -j ACCEPT

# Allow outbound SMTP
-A OUTPUT -p tcp --dport 25 -j ACCEPT

# Allow outbound NTP
-A OUTPUT -p tcp --dport 123 -j ACCEPT

#if we get here reject the packet
-A INPUT -j REJECT

COMMIT

I must admit I maintained my own iptables rules for quite a while, but it was getting more and more complicated adding rules and making quick changes to try something out without opening a huge security hole. I looked at a few of the GUI rule builders but didn't find anything I felt really comfortable with. In the end though I stumbled across Firehol (http://firehol.sourceforge.net/) which is a firewall scripting language and after a bit of a learning curve I found it far easier to change as the language is reasonably intuitive

Here's a cutdown version of my firehol script.


# define IP source addresses valid on the internal LAN
HOME_LAN_RANGE="192.168.0.0/24"
# IP addresses of Office Internet Gateways. Used to restrict
# Incoing IP addresses allowed for SSH
OFFICE_INTERNET_GATEWAYS="100.200.300.0/24 101.201.301.1"

interface eth0 lan src ${HOME_LAN_RANGE}
policy reject
server "dns smtp pop3 imap samba squid dhcp http https ssh icmp ntp" accept
client all accept

interface eth1 internet
protection strong 40/sec 40
server ssh accept src "${OFFICE_INTERNET_GATEWAYS}"
server ident reject with tcp-reset
server "smtp http https icmp" accept
client all accept

router internet2homelan inface eth1 outface eth0
# Empty as we don't route anything from the internet to the local LAN

router lan2internet inface eth0 outface eth1
route "http https ftp nntp ssh dns icmp ntp msn real realu pop3s imaps" accept



My feedback for what its worth...

I must admit I'm not that familiar with the iptables-save/restore file format, but it looks to me that the policy for all INPUT, OUTPUT and FORWARD chains is being set to ACCEPT. You've got the final REJECT on the INPUT chain, but the packets that drop off the end of the OUTPUT chain are just being ACCEPT'd.

In terms of optimisation i think you could safely drop the source address check from all the output rules, since by definition they must have originated from the server and so would always have a source address in your LAN range.

Similarly I think if you reorder the input rules to deal with the protocols you're allowing in from the Internet first you can then reject all other non local traffic and ditch the source IP address check from all the other input rules

e.g. something like this might work


# Allow ssh from allowed hosts only
-A INPUT -s 213.xxx.xxx.xxx -p tcp --dport 22 -j ACCEPT
# Allow VNC from selected hosts
-A INPUT -s 5.0.0.0/255.0.0.0 -p tcp -m multiport --dports 5900,5901 -i ham0 -j ACCEPT
#Now reject all non local traffic
-A INPUT -s ! 192.168.1.0/255.255.255.0 -j REJECT

# Everything in the INPUT chain from here on is guaranteed to be local traffic
# samba access for the local LAN
-A INPUT -p udp -m multiport --dports 137,138 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 139,145 -j ACCEPT
# Allow itunes (bonjour) for local traffic only
-A INPUT -p tcp --dport 3689 -j ACCEPT
....
rest of input rules
....
-A INPUT -j REJECT


Just spotted one more thing

If this rule is for web browsing from your server then this needs to be in the output chain. It's probably working OK at the moment though as the OUTPUT chain is accepting any packet that falls through to the end


# Allow web browsing from this server
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

Just spotted one more thing

If this rule is for web browsing from your server then this needs to be in the output chain. It's probably working OK at the moment though as the OUTPUT chain is accepting any packet that falls through to the end


# Allow web browsing from this server
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT


well spotted. Thanks

I like this:

#Now reject all non local traffic
-A INPUT -s ! 192.168.1.0/255.255.255.0 -j REJECT