A personal firewall is an application which controls a computer's network traffic, permitting or denying communications based on a security policy.
In this howto we will use iptables to make a basic personal firewall for your desktop computer. This howto should work on all versions of Debian and on other distros with Iptables as well. Iptables is a very powerful and flexible tool, so there are a plethora of options for servers and desktop computers.
What these configurations will result in:
A firewall that protects from unwanted incoming (Internet and LAN)connection attempts.
It will hide the computer from port scans by not responding to unsolicited network traffic.
What these configurations won't do:
Block outgoing connection attempts. This includes software that «phones home», or malware trying to connect to its owner. (But if you have malware, it will probably have root access and disable or open ports in your firewall anyway.)
Configuring iptables:
Iptables should be installed in Debian by default, so all we have to do is open the CLI and issue a few commands as root:
Allow all loopback traffic, but reject all traffic to 127.0.0.* that does not use lo
Code: Select all
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
Code: Select all
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
This step is optional: If you want to log the iptables denied calls, issue the following command:
Code: Select all
# iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Drop all other incoming network traffic:
Code: Select all
# iptables -A INPUT -j DROP
Code: Select all
# iptables -L -v
Code: Select all
root@debian:/home/hallvor# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
190 14906 ACCEPT all -- lo any anywhere anywhere
0 0 REJECT all -- !lo any anywhere loopback/8 reject-with icmp-port-unreachable
492K 728M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
3047 348K DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 229K packets, 14M bytes)
pkts bytes target prot opt in out source destination
Persistent settings
Iptables will not remember the settings between boots, so we need to install a package called iptables-persistent to fix that.
Code: Select all
# apt-get install iptables-persistent
Code: Select all
# dpkg-reconfigure iptables-persistent
All done!
Credits: Thanks to those who have helped me. You know who you are.
See also:
https://wiki.debian.org/DebianFirewall
http://pclinuxoshelp.com/index.php/Iptable_ruleset (Many examples on this page.)