[Resolved] Iptables rules

[Hélène]

Hi,

I need help for my iptables rules.

1) Do I need these rules if my laptop is not acting as a router ?

#flood

Code: Select all

sudo iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
sudo iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
sudo iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT

#port scan

Code: Select all

sudo iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit –-limit 1/s -j ACCEPT

2) What exactly is the point of these rules ? All this is unclear to me.
My laptop is not acting as a router or a server. So do I need these rules?

# Multicast

Code: Select all

sudo iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT

 
# Samba Traffic

Code: Select all

sudo iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns

 
# Broadcast

Code: Select all

sudo iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP

Thanks in advance

[arzgi]

Quite few of us use directly iptables nowadays. There are many programs, that are easier to understand.

Recently I took part to one thread, where we talked about these programs. Just now I can't remember what others said, but I use arno-iptables-firewall at the moment.

[Bulkley]

Do I need these rules if my laptop is not acting as a router ?

It all depends upon where and how you connect to incoming data. If you always connect to the Internet through a router, you can set the router's firewall and ignore an onboard one. However, if your laptop travels it is probably a good idea to have, at least, a minimal firewall.

A minimal IPtables can be as simple as this:

Code: Select all

# Generated by iptables-save v1.6.0 on Tue Dec 13 14:58:21 2016
*filter
:INPUT DROP [34:1572]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [821:74068]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

It seems to me that you could do without all of those lines you list. However, I caution against simply erasing them. Make a backup copy of your firewall and then experiment.

[Hallvor]

If you want a very basic configuration:
http://forums.debian.net/viewtopic.php? ... 14#p553775

You don't need a firewall on your computer if you already have a firewall on your router. On a public wifi, it adds an extra layer of security.

[p.H]

1) Do I need these rules if my laptop is not acting as a router ?

On a system not acting as an IPv4 router (net.ipv4.ip_forward=0) or an ethernet bridge with bridge-nf enabled, no packets will ever flow through the FORWARD chain, so these rules are useless.

Note however that even if your system acts as an IPv4 router or an ethernet bridge with bridge-nf enabled, it does not imply that you need these rules.

sudo iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT

This rule accepts incoming packets with a multicast destination address. It's up to you to know whether you use multicast.

sudo iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns

This rule marks Netbios Name Service outgoing packets to be inspected by the netbios-ns conntrack helper so that incoming reply packets can be identified. Otherwise the standard connection tracking would not work because request packets are sent as broadcast. This requires that the nf_conntrack_netbios_ns module is loaded.

sudo iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP

This rule drops incoming packets with a broadcast destination address. It's up to you to know whether you use such packets.

[Hélène]

Hi everyone,

Thank you VERY MUCH to all of you for helping me.

Bye Bye