Use those iptables…

If you can’t rely on your local network being firewalled the onus is on you to make sure that you have a firewall running on your computer. On linux you have iptables, which is remarkably easy to use if you have at least a basic understanding of how networking works (and/or google). Without going into details, you REALLY, REALLY. REALLY need to have your OWN firewall running if you are based at Umeå University.

Your needs may vary, but here’s a script that you can put in e.g. /etc/firewall_rules.sh

Have it called from /etc/rc.local so that it starts during boot.

 

#!/bin/sh
sudo iptables -F #FLUSH
#INPUT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #allows network
sudo iptables -A INPUT -i lo -j ACCEPT #127.0.0.1
sudo iptables -A INPUT -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT #ssh -world!
sudo iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT -s 192.168.1.0/24 #ping
sudo iptables -A INPUT -d 255.255.255.255 -j ACCEPT #broadcast traffic
sudo iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix " Dropped by firewall "
sudo iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 4 --log-prefix "[netfilter]"
sudo iptables -A INPUT -j DROP #drop all else
#OUTPUT
sudo iptables -A OUTPUT -o lo -j ACCEPT #127.0.0.1
sudo iptables -A OUTPUT -j ACCEPT #all outgoing ok
#FORWARD
sudo iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT
#Default behaviour
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -P FORWARD DROP
exit 0

Leave a Reply

Your email address will not be published. Required fields are marked *