[clug] iptables on R Pi

[jm]

 From memory there's a package called iptables-persistent or something 
similar that you can install to give you a consistent way to do this.

Jeff.

Logan Ryan McLintock wrote:
> Hello fellow CLUG genii,
>
> I am a newbie, and I would like to find a good way to set the iptables (firewall) for a Debian (Raspbian) Raspberry Pi. I am using the latest release.
>
> I have managed to 'drop' everything by changing the
> rc.local
> file, but I was wondering two things;
> 1) is there a better file to put the commands in, or is rc.local 'correct'
> 2) what is a better configuration (besides dropping it like its hot) for a standard R Pi 'desktop using ether Internet' - not a server
>
> What I have done is shown below -- Sorry for the pile of commands, I just thought it would make more sense.
>
> PS. I searched the Internet, but it quickly gets confusing as there are lots of different distros and servers etc.
>
> Thank you lots,
>
> C u on Thursday
>
> Logan -) cyclops
>
> %%%%%%%%%%%%% my commands %%%%%%%%%%%%%%%%
>
> root at raspberrypi:/home/pi# iptables -L -n -v
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source   destination
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source   destination
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source   destination
> root at raspberrypi:/home/pi#
> root at raspberrypi:/home/pi# iptables -P INPUT DROP
> root at raspberrypi:/home/pi# iptables -P FORWARD DROP
> root at raspberrypi:/home/pi# iptables -P OUTPUT DROP
> root at raspberrypi:/home/pi#
> root at raspberrypi:/home/pi# iptables -L -n -v
> Chain INPUT (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> root at raspberrypi:/home/pi#
> root at raspberrypi:/home/pi# cd /etc
>
> root at raspberrypi:/etc# iptables-save > /etc/iptables.conf
> root at raspberrypi:/etc# cat iptables.conf
> # Generated by iptables-save v1.4.14 on Fri Jul 26 14:17:19 2013
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> COMMIT
> # Completed on Fri Jul 26 14:17:19 2013
> root at raspberrypi:/etc#
> root at raspberrypi:/etc#
> root at raspberrypi:/etc# cat rc.local
> #!/bin/sh -e
> #
> # rc.local
> #
> # This script is executed at the end of each multiuser runlevel.
> # Make sure that the script will "exit 0" on success or any other
> # value on error.
> #
> # In order to enable or disable this script just change the execution
> # bits.
> #
> # By default this script does nothing.
> # Print the IP address
> _IP=$(hostname -I) || true
> if [ "$_IP" ]; then
>   printf "My IP address is %s\n" "$_IP"
> fi
> exit 0
> root at raspberrypi:/etc#
> root at raspberrypi:/etc#
> root at raspberrypi:/etc# leafpad /etc/rc.local
> root at raspberrypi:/etc#
> root at raspberrypi:/etc# cat rc.local
> #!/bin/sh -e
> #
> # rc.local
> #
> # This script is executed at the end of each multiuser runlevel.
> # Make sure that the script will "exit 0" on success or any other
> # value on error.
> #
> # In order to enable or disable this script just change the execution
> # bits.
> #
> # Load iptables rules from this file
> iptables-restore < /etc/iptables.conf
> # Print the IP address
> _IP=$(hostname -I) || true
> if [ "$_IP" ]; then
>   printf "My IP address is %s\n" "$_IP"
> fi
> exit 0
> root at raspberrypi:/etc#
> root at raspberrypi:/etc# reboot
>
>
>