Basic iptables setup (Ubuntu)
Accept anything coming in from 127.0.0.1:
iptables -A INPUT -i lo -j ACCEPT
Accept "related" ("packet is starting a new connection, but is associated with an existing connection") and "established" ("packet is associated with a connection which has seen packets in both directions") packets:
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
SSH; set port (XXXXX) to 22 if you're running the default, which you perhaps should not do as the script kiddies will not leave you alone. If this is changed to something non-default then do not forget to change the port in /etc/ssh/sshd_config (the Port configuration directive) and do these changes coordinatedly. Otherwise you will be locked out.
iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
NTP, because we're part of the NTP Pool Project:
iptables -A INPUT -p udp -m udp --dport 123 -j ACCEPT
Log dropped packets, but not too much:
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables DROP: " --log-level 7
Do the actual dropping:
iptables -A INPUT -j DROP
In order to save these settings on shutdown, create the following file in /etc/network/if-post-down.d/iptables:
#!/bin/sh
iptables-save -c > /etc/iptables.rules
exit 0
To restore the settings on boot, create the following file in /etc/network/if-pre-up.d/iptables:
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0
And make the two executable:
chmod +x /etc/network/if-post-down.d/iptables /etc/network/if-pre-up.d/iptables
Categorised as: note