After everyone's helpful comments I decided there was no reason for me to add complexity to Debian with shorewall or any of the rest of them.
For you that are new to Linux or firewalls, here are the steps to get iptables functioning and blocking everything except HTTP, HTTPS and SSH:
1) Make sure iptables is installed - type at a command line (such as putty):
iptables -L
That will show you the current configuration. If this works it is installed.
2) Create a script to setup rules. At a command line again type in:
nano /etc/firewall.sh
(for newbies, nano is one of the text editors you can use in debian)
3) The above will open up a BLANK file as you are creating it brand new. Now type or paste in all of the below:
#!/bin/sh
IPT="/sbin/iptables"
echo -n "Loading iptables rules..."
# Flush old rules
iptables --flush
iptables --delete-chain
# By default, drop everything except outgoing traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow incoming and outgoing for loopback interfaces
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# ICMP rules
iptables -A INPUT -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,R$
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/s -m stat$
iptables -A INPUT -p icmp --icmp-type destination-unreachable -m state --state $
iptables -A INPUT -p icmp --icmp-type time-exceeded -m state --state NEW -j ACC$
iptables -A INPUT -p icmp --icmp-type timestamp-request -m state --state NEW -j$
iptables -A INPUT -p icmp --icmp-type timestamp-reply -m state --state ESTABLIS$
# Block new connections without SYN
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Allow established connections:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# HTTP
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST
iptables -A INPUT -p ip -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Anti-spoofing rules
iptables -A INPUT -s 200.200.200.200 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
echo "rules loaded."
4) Now give root access to your new file. At the command line type:
chown root /etc/firewall.sh
chmod 700 /etc/firewall.sh
5) Add the new script to your startup. At a command line type in:
nano /etc/network/interfaces
Above the line for your network card (auto eth0) add this line:
pre-up /etc/firewall.sh
6) Reboot your Linode. At a command line stop mysql and then reboot:
/etc/init.d/mysql stop
reboot
7) Type in iptables -L and you should see your new rules! It's that simple....although hunting around online sure doesn't make it seem that way. I got much of this info from
http://www.debiantutorials.com/loading- ... n-startup/.
Additional note: for those of you that want to change the port for SSH, you can't just change the line above that references it, you have to tell the SSH server in Debian to listen on a different port as well. This almost burned me. Just type in:
nano /etc/ssh/sshd_config
And you'll see a line to change the port number it listens on. Then you can change the firewall rule and then your clien's port number and it will work fine.
FAQ
Search
Members
Register
Login [ Anonymous ]
