Oct
06
Enter these rules at the command line as root (or sudo):
1 2 3 4 5 6 7 8 9 10 11 12 | iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport https -j ACCEPT iptables -A INPUT -p tcp --dport smtp -s 192.168.0.2/32 -j ACCEPT iptables -A INPUT -p tcp --dport 3306 -s 192.168.0.2/32 -j ACCEPT iptables -N LOGNDROP iptables -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "Denied TCP: " --log-level 7 iptables -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied UDP: " --log-level 7 iptables -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "Denied ICMP: " --log-level 7 iptables -A LOGNDROP -j DROP |
These rules mean:
- accept all traffic on the local network interface
- accept all incoming traffic for connections that have already been established
- accept all incoming SSH traffic
- accept all incoming HTTP traffic
- accept all incoming HTTPS traffic
- accept incoming SMTP traffic originating from 192.168.0.2
- accept incoming traffic for port 3306 (MYSQL) originating from 192.168.0.2
- create a new chain called LOGNDROP
- write any dropped TCP connections to the syslog
- write any dropped UDP connections to the syslog
- write any dropped ICMP (i.e., ping, traceroute) connections to the syslog
- drop all connections that make it this far
Then save them:
1 | iptables-save > /etc/iptables.rules |
Then make sure the rules are saved before the system shuts down, and restored after the system reboots. Edit /etc/network/interfaces so it looks similar to the snippet below (mainly the pre-up and post-down lines):
1 2 3 4 5 6 7 8 | auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
gateway 192.168.0.1
dns-nameservers 1.2.3.4 10.20.30.40
pre-up iptables-restore < /etc/iptables.rules
post-down iptables-save -c > /etc/iptables.rules |