Iptables Rules for Your Desktop and Server

Iptables is a firewall. Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. To better understand how a packet traverses the kernel Xtables tables/chains, I think the following diagrams is useful:
http://jengelh.medozas.de/images/nf-packet-flow.png

Mastering Iptables could take a while. It can be confusing. The good thing about Iptables is if you have a few rules to cover basic security needs, your Linux system is well protected. This article will show the basic rules for your Desktop and Server. You can put this rules into your script or your /etc/rc.local file. but, don't forget to login as root before.

SYNOPSIS

iptables [-t table] -[AD] chain rule-specification [options]
iptables [-t table] -I chain [rulenum] rule-specification [options]
iptables [-t table] -R chain rulenum rule-specification [options]
iptables [-t table] -D chain rulenum [options]
iptables [-t table] -[LFZ] [chain] [options]
iptables [-t table] -N chain
iptables [-t table] -X [chain]
iptables [-t table] -P chain target [options]
iptables [-t table] -E old-chain-name new-chain-name


Iptables rules for Desktop only
1. Filtering incoming packets

iptables -A INPUT -p tcp --syn -j DROP

this rules block all incoming traffic, but all outgoing traffic is allowed


Iptables rules for Server only

1. Filtering ssh connection

iptables -A INPUT -p tcp --syn -dport 22 -s YOUR_IPADDRESS -j ACCEPT

YOUR_IPADDRESS is actual address, example: 192.168.1.70
This rule is will only allow remote computer using ssh (secure shell) connection on port 22 from YOUR_IPADDRESS.


2. Tracking connection

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

if user initiates a connection, computer will send packet and set as NEW in the prerouting chain. If the user gets a return packet, the state will change to ESTABLISHED in the prerouting chain.

ESTABLISHED mean "Packets that belong to existing connections". RELATED mean "Packets that doesn't belong to existing connetections, but is related to an existing connection. State machine from Iptables can help kernel level "conntrack" module to track connections. So that Iptables knows what connections can be allowed and what can't. Also, it can help reduces administrator work.

3. Logging Dropped Packets

iptables -N log-drop-packet
iptables -A log-drop-packet -j LOG
iptables -A log-drop-packet -j DROP

iptables will log all dropped packets.

4. NAT

iptables -t nat -A PREROUTING -i YOUR_WLAN_INTERFACE -p tcp -dport YOUR_PORT -j DNAT --to-destination YOUR_DESTINATION_IPADDRESS

This rul will make Network Address Translation (NAT) route packets properly when you need to route packets from external sources to specific ports.
YOUR_WLAN_INTERFACE = your wlan interface card, example, wlan0
YOUR_PORT = Your destination port, example 80
YOUR_DESTINATION_IPADDRESS = target IP address, example, 172.168.1.70

5. Load Balancing
I will use example to set load balancing with Iptables. The following rule is Iptables rule to make load balancing using five server on interface eth0 and port 80.

iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m
nth --counter 0 --every 5 --packet 0 -j DNAT --to-destination
192.168.1.10:80

iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m
nth --counter 0 --every 5 --packet 1 -j DNAT --to-destination
192.168.1.20:80

iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m
nth --counter 0 --every 5 --packet 2 -j DNAT --to-destination
192.168.1.30:80

iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m
nth --counter 0 --every 5 --packet 3 -j DNAT --to-destination
192.168.1.40:80

iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m
nth --counter 0 --every 5 --packet 4 -j DNAT --to-destination
192.168.1.50:80

Every 0 packet will be routed to 192.168.1.10. 1st packet will be routed to 192.168.1.20. 2nd packet will be routed to 192.168.1.30. 3rd packet will be routed to 192.168.1.40. 4th packet will be routed to 192.168.1.50. The heart of this rule is the nth extension which tel the Iptables to react every "nth" packet.

Iptables rules for Desktop and Server
1. Drop packet from malicious address

iptables -A INPUT -p tcp -m tcp -s MALICIOUS_ADDRESS -j DROP

This iptables rule will drop all packet from MALICOUS_ADDRESS.
MALICIOUS_ADDRESS = the attacker IP address. Example, 192.168.1.60

2. NO Syn Flood Attack

iptables -N sys-flood
iptables -A syn-flood -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT
iptables -A syn-flood -p tcp --syn -j DROP

This rule will protect your computer from syn flood attack. The idea is limit the packet that send to your computer at a time.

3. NO Port Scan

iptables -N port-scan
iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
iptables -A port-scan -j DROP

Port scan is first step to find open port that attacker will be used to attack your computer. This rule will give port scan protection

4. NO Ping of Death

iptables -N death-ping
iptables -A death-ping -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

Attacker can use icmp packet to flood your computer. So that, using this rule will protect your linux computer.

Reference:
- zdnetasia