[clug] iptables on R Pi

Tue Aug 6 05:19:00 MDT 2013

Hello fellow CLUG genii,

I am a newbie, and I would like to find a good way to set the iptables (firewall) for a Debian (Raspbian) Raspberry Pi. I am using the latest release.

I have managed to 'drop' everything by changing the
rc.local
file, but I was wondering two things;
1) is there a better file to put the commands in, or is rc.local 'correct'
2) what is a better configuration (besides dropping it like its hot) for a standard R Pi 'desktop using ether Internet' - not a server

What I have done is shown below -- Sorry for the pile of commands, I just thought it would make more sense.

PS. I searched the Internet, but it quickly gets confusing as there are lots of different distros and servers etc.

Thank you lots,

C u on Thursday

Logan -) cyclops

%%%%%%%%%%%%% my commands %%%%%%%%%%%%%%%%

root at raspberrypi:/home/pi# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source   destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source   destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source   destination
root at raspberrypi:/home/pi#
root at raspberrypi:/home/pi# iptables -P INPUT DROP
root at raspberrypi:/home/pi# iptables -P FORWARD DROP
root at raspberrypi:/home/pi# iptables -P OUTPUT DROP
root at raspberrypi:/home/pi#
root at raspberrypi:/home/pi# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
root at raspberrypi:/home/pi#
root at raspberrypi:/home/pi# cd /etc

root at raspberrypi:/etc# iptables-save > /etc/iptables.conf
root at raspberrypi:/etc# cat iptables.conf
# Generated by iptables-save v1.4.14 on Fri Jul 26 14:17:19 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT
# Completed on Fri Jul 26 14:17:19 2013
root at raspberrypi:/etc#
root at raspberrypi:/etc#
root at raspberrypi:/etc# cat rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# Print the IP address
_IP=$(hostname -I) || true
if [ "$_IP" ]; then
  printf "My IP address is %s\n" "$_IP"
fi
exit 0
root at raspberrypi:/etc#
root at raspberrypi:/etc#
root at raspberrypi:/etc# leafpad /etc/rc.local
root at raspberrypi:/etc#
root at raspberrypi:/etc# cat rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# Load iptables rules from this file
iptables-restore < /etc/iptables.conf
# Print the IP address
_IP=$(hostname -I) || true
if [ "$_IP" ]; then
  printf "My IP address is %s\n" "$_IP"
fi
exit 0
root at raspberrypi:/etc#
root at raspberrypi:/etc# reboot