Productive Linux
ACPI administration advocacy advocacy advocacy opinion alsa amarok apache apple apt aptitude audio audo authentication automount avi awk bash BIOS boot business cache calendar calibre cdr cdrecord censorship commandline computerscience console convert cron cut database date debian degree design desktop development disk dpkg dvd economics education emacs email europe exim faad ffmpeg file files firefox firewall flash foss freedom ftp fun fuse git gnumeric graphics grep growisofs grub gtkpod hardware hardware html idiocy image imagemagick images installation ip iphone ipod iptables iso itunes ivman kde kernel keyboard knoppix lame laptop latex linux locale lockin longlines m4a microsoft mimetypes minitab mount mp3 mp4 mplayer multimedia music mysql network nfs nfs4 nmap openbox openoffice opinion opinion partition pdf perl php politics postgresql printing privacy programming rant remote rhythmbox rss rsync rxvt scp screengrab screenshot script scripting scsi security sed server shell siteadmin sitenews sitesoftware skype skype slackware sound sox spam spreadsheet ssh statistics subversion sudo svk swap t23 t43 terminal text thinkpad thunderbird time timezone ubuntu udev upgrade usb usbmount users uuid versioncontrol vfat video vnc windows wine wordpress wordprocessing X40 xwindows xwindows youtube
Update: Following some feedback this has been changed to use the state and multiport modules - making it shorter and simpler!
Update 2: Added more rules to allow outbound ftp connections.
Now while people running linux dial-up machines are fairly invulnerable to attacks across the internet (script kiddies attack Windows machines after all), it is still good practice to have a firewall. (Unlike on a Windows box where it is essentail.)
This is a very basic fire wall to run on a a machine, like a laptop, that connects to the internet using a modem and ppp.
It is very restrictive, turning off everything and then allowing communications for the services we need. In particular, as the machine is not doing to be used as a server of any kind then no external communications to our locally running services is allowed.
Here's the code which uses IPTables and is suitable for Linux Kernels of 2.4 for above.
#!/bin/bash ## Delete any existing rules iptables -F # deletes existing rules iptables -X # deletes user defined chains ##Set policy to drop everything if we don't provide for something else iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #### Allow connections to and from localhost iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ## set variables for ppp EXTERNAL=ppp0 ## variable containing allowed outward bound ports ## We want to connect to web, ssh, mail, pop3, whois, finger and https ALLOWEDTCP=80,22,25,110,43,79,443 ### Allow incoming packets from connections that we initiated iptables -A INPUT -i $EXTERNAL -m state --state ESTABLISHED,RELATED -j ACCEPT ### Now, allow ourselves to initiate some connections ### Allow us to look up DNS iptables -A OUTPUT -o $EXTERNAL -p udp --dport 53 -j ACCEPT ## Allow a bunch of outbound tcp connections - so we can surf the web ## collect our mail etc iptables -A OUTPUT -o $EXTERNAL -p tcp -m multiport --dports $ALLOWEDTCP -j ACCEPT ## Allow ourselves to send ping requests (although we don't respond to ## incoming ping requests - we're very anti-social :) ) iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT ## FTP: a couple of rules to allow ftp modprobe ip_conntrack_ftp iptables -A OUTPUT -p tcp -o $EXTERNAL --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -i $EXTERNAL --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -o $EXTERNAL --dport 20 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -i $EXTERNAL --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -o $EXTERNAL --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
Stumble It!
Digg it
Reddit
