A personal firewall is an application which controls a computer's network traffic, permitting or denying communications based on a security policy.
In this howto we will use iptables to make a basic personal firewall for your desktop computer. This howto should work on all versions of Debian and on other distros with Iptables as well. Iptables is a very powerful and flexible tool, so there are a plethora of options for servers and desktop computers.
What these configurations will result in:
A firewall that protects from unwanted incoming (Internet and LAN)connection attempts.
It will hide the computer from port scans by not responding to unsolicited network traffic.
What these configurations won't do:
Block outgoing connection attempts. This includes software that «phones home», or malware trying to connect to its owner. (But if you have malware, it will probably have root access and disable or open ports in your firewall anyway.)
Configuring iptables:
Iptables should be installed in Debian by default, so all we have to do is open the CLI and issue a few commands as root:
Allow all loopback traffic, but reject all traffic to 127.0.0.* that does not use lo
- Code: Select all
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
Allow established sessions to receive traffic
- Code: Select all
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
All outbound connections are allowed as long as there are no rules stating otherwise.
This step is optional: If you want to log the iptables denied calls, issue the following command:
- Code: Select all
# iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Drop all other incoming network traffic:
- Code: Select all
# iptables -A INPUT -j DROP
Let us check if it looks right with the following command:
- Code: Select all
# iptables -L -v
The output should be like this:
- Code: Select all
root@debian:/home/hallvor# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
190 14906 ACCEPT all -- lo any anywhere anywhere
0 0 REJECT all -- !lo any anywhere loopback/8 reject-with icmp-port-unreachable
492K 728M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
3047 348K DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 229K packets, 14M bytes)
pkts bytes target prot opt in out source destination
Persistent settings
Iptables will not remember the settings between boots, so we need to install a package called iptables-persistent to fix that.
- Code: Select all
# apt-get install iptables-persistent
You will now be met by a configuration screen, where you must press yes to save the settings. (If you at a later point change any of the iptables rules, you must type (as root)
- Code: Select all
# dpkg-reconfigure iptables-persistent
to make the new rules persistent.)
All done!
Credits: Thanks to those who have helped me. You know who you are.
See also:
https://wiki.debian.org/DebianFirewall
http://pclinuxoshelp.com/index.php/Iptable_ruleset (Many examples on this page.)
