[Resolved] Iptables rules

Kernels & Hardware, configuring network, installing services

[Resolved] Iptables rules

Postby Hélène » 2018-05-22 15:04

Hi,

I need help for my iptables rules.

1) Do I need these rules if my laptop is not acting as a router ?

#flood
Code: Select all
sudo iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
sudo iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
sudo iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT


#port scan
Code: Select all
sudo iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit –-limit 1/s -j ACCEPT




2) What exactly is the point of these rules ? All this is unclear to me.
My laptop is not acting as a router or a server. So do I need these rules?

# Multicast
Code: Select all
sudo iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT

 
# Samba Traffic
Code: Select all
sudo iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns

 
# Broadcast
Code: Select all
sudo iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP



Thanks in advance :D
Last edited by Hélène on 2018-05-23 16:09, edited 1 time in total.
Hélène
 
Posts: 35
Joined: 2016-10-06 10:48

Re: Iptables rules

Postby arzgi » 2018-05-22 15:30

Quite few of us use directly iptables nowadays. There are many programs, that are easier to understand.

Recently I took part to one thread, where we talked about these programs. Just now I can't remember what others said, but I use arno-iptables-firewall at the moment.
arzgi
 
Posts: 387
Joined: 2008-02-21 17:03
Location: Finland

Re: Iptables rules

Postby Bulkley » 2018-05-22 15:53

Do I need these rules if my laptop is not acting as a router ?


It all depends upon where and how you connect to incoming data. If you always connect to the Internet through a router, you can set the router's firewall and ignore an onboard one. However, if your laptop travels it is probably a good idea to have, at least, a minimal firewall.

A minimal IPtables can be as simple as this:
Code: Select all
# Generated by iptables-save v1.6.0 on Tue Dec 13 14:58:21 2016
*filter
:INPUT DROP [34:1572]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [821:74068]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT


It seems to me that you could do without all of those lines you list. However, I caution against simply erasing them. Make a backup copy of your firewall and then experiment.
Bulkley
 
Posts: 5633
Joined: 2006-02-11 18:35

Re: Iptables rules

Postby Hallvor » 2018-05-22 16:44

If you want a very basic configuration:
viewtopic.php?f=16&t=117514#p553775

You don't need a firewall on your computer if you already have a firewall on your router. On a public wifi, it adds an extra layer of security.
HP Elitebook 2570p, Intel Core i5 3320-M CPU @ 2.60 GHz, 6 GB RAM, Intel HD 4000 graphics, 240 GB SSD, Debian Stretch (KDE)
User avatar
Hallvor
 
Posts: 843
Joined: 2009-04-16 18:35
Location: Norway

Re: Iptables rules

Postby p.H » 2018-05-22 18:35

Hélène wrote:1) Do I need these rules if my laptop is not acting as a router ?

On a system not acting as an IPv4 router (net.ipv4.ip_forward=0) or an ethernet bridge with bridge-nf enabled, no packets will ever flow through the FORWARD chain, so these rules are useless.

Note however that even if your system acts as an IPv4 router or an ethernet bridge with bridge-nf enabled, it does not imply that you need these rules.

Hélène wrote:sudo iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT

This rule accepts incoming packets with a multicast destination address. It's up to you to know whether you use multicast.

Hélène wrote:sudo iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns

This rule marks Netbios Name Service outgoing packets to be inspected by the netbios-ns conntrack helper so that incoming reply packets can be identified. Otherwise the standard connection tracking would not work because request packets are sent as broadcast. This requires that the nf_conntrack_netbios_ns module is loaded.

Hélène wrote:sudo iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP

This rule drops incoming packets with a broadcast destination address. It's up to you to know whether you use such packets.
p.H
 
Posts: 602
Joined: 2017-09-17 07:12

Re: Iptables rules

Postby Hélène » 2018-05-23 16:08

Hi everyone,

Thank you VERY MUCH to all of you for helping me. :D

Bye Bye
Hélène
 
Posts: 35
Joined: 2016-10-06 10:48


Return to System configuration

Who is online

Users browsing this forum: No registered users and 13 guests

fashionable