[clug] iptables on R Pi

Alex Satrapa grail at goldweb.com.au
Tue Aug 6 16:15:37 MDT 2013 

When it comes to building iptables firewalls, you might want to look at two "firewall building" tools:
 - Firehol (my favourite)
 - Shorewall

Firehol provides a "domain specific language" so that you can build firewall by specifying services rather than ports (i.e.: you specify "ftp" and the scripts take care of loading the FTP specific rules)

Alex

On 7 Aug 2013, at 00:15, Logan Ryan McLintock <u4955237 at anu.edu.au> wrote:

> Hi Jeff and David,
> 
> Your tips have helped with my googling, and I think I have found what I am after - how obvious but to be in the Debian help docs - such a rookie
> 
> https://wiki.debian.org/iptables
> 
> If I follow these instructions, but delete this line:
> 
> -A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT
> 
> as I don't what SSH,
> then everything should be ok I think. I take it that 80 and 443 are just to let you surf the net? I will give it a go =)
> 
> PS. Just installed Trisquel, and I love it!!! -- I will be switching to it from Linux Mint 15 -- the only problem with Trisquel thus far is no Australian server so updates/software package installs are slow.
> 
> -)
> 
> On 06/08/2013, at 9:56 PM, jm <jeffm at ghostgun.com> wrote:
> 
>> 
>> From memory there's a package called iptables-persistent or something similar that you can install to give you a consistent way to do this.
>> 
>> Jeff.
>> 
>> Logan Ryan McLintock wrote:
>>> Hello fellow CLUG genii,
>>> 
>>> I am a newbie, and I would like to find a good way to set the iptables (firewall) for a Debian (Raspbian) Raspberry Pi. I am using the latest release.
>>> 
>>> I have managed to 'drop' everything by changing the
>>> rc.local
>>> file, but I was wondering two things;
>>> 1) is there a better file to put the commands in, or is rc.local 'correct'
>>> 2) what is a better configuration (besides dropping it like its hot) for a standard R Pi 'desktop using ether Internet' - not a server
>>> 
>>> What I have done is shown below -- Sorry for the pile of commands, I just thought it would make more sense.
>>> 
>>> PS. I searched the Internet, but it quickly gets confusing as there are lots of different distros and servers etc.
>>> 
>>> Thank you lots,
>>> 
>>> C u on Thursday
>>> 
>>> Logan -) cyclops
>>> 
>>> %%%%%%%%%%%%% my commands %%%%%%%%%%%%%%%%
>>> 
>>> root at raspberrypi:/home/pi# iptables -L -n -v
>>> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>>> pkts bytes target     prot opt in     out     source   destination
>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>> pkts bytes target     prot opt in     out     source   destination
>>> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>>> pkts bytes target     prot opt in     out     source   destination
>>> root at raspberrypi:/home/pi#
>>> root at raspberrypi:/home/pi# iptables -P INPUT DROP
>>> root at raspberrypi:/home/pi# iptables -P FORWARD DROP
>>> root at raspberrypi:/home/pi# iptables -P OUTPUT DROP
>>> root at raspberrypi:/home/pi#
>>> root at raspberrypi:/home/pi# iptables -L -n -v
>>> Chain INPUT (policy DROP 0 packets, 0 bytes)
>>> pkts bytes target     prot opt in     out     source
>>> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>>> pkts bytes target     prot opt in     out     source
>>> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
>>> pkts bytes target     prot opt in     out     source
>>> root at raspberrypi:/home/pi#
>>> root at raspberrypi:/home/pi# cd /etc
>>> 
>>> root at raspberrypi:/etc# iptables-save > /etc/iptables.conf
>>> root at raspberrypi:/etc# cat iptables.conf
>>> # Generated by iptables-save v1.4.14 on Fri Jul 26 14:17:19 2013
>>> *filter
>>> :INPUT DROP [0:0]
>>> :FORWARD DROP [0:0]
>>> :OUTPUT DROP [0:0]
>>> COMMIT
>>> # Completed on Fri Jul 26 14:17:19 2013
>>> root at raspberrypi:/etc#
>>> root at raspberrypi:/etc#
>>> root at raspberrypi:/etc# cat rc.local
>>> #!/bin/sh -e
>>> #
>>> # rc.local
>>> #
>>> # This script is executed at the end of each multiuser runlevel.
>>> # Make sure that the script will "exit 0" on success or any other
>>> # value on error.
>>> #
>>> # In order to enable or disable this script just change the execution
>>> # bits.
>>> #
>>> # By default this script does nothing.
>>> # Print the IP address
>>> _IP=$(hostname -I) || true
>>> if [ "$_IP" ]; then
>>> printf "My IP address is %s\n" "$_IP"
>>> fi
>>> exit 0
>>> root at raspberrypi:/etc#
>>> root at raspberrypi:/etc#
>>> root at raspberrypi:/etc# leafpad /etc/rc.local
>>> root at raspberrypi:/etc#
>>> root at raspberrypi:/etc# cat rc.local
>>> #!/bin/sh -e
>>> #
>>> # rc.local
>>> #
>>> # This script is executed at the end of each multiuser runlevel.
>>> # Make sure that the script will "exit 0" on success or any other
>>> # value on error.
>>> #
>>> # In order to enable or disable this script just change the execution
>>> # bits.
>>> #
>>> # Load iptables rules from this file
>>> iptables-restore < /etc/iptables.conf
>>> # Print the IP address
>>> _IP=$(hostname -I) || true
>>> if [ "$_IP" ]; then
>>> printf "My IP address is %s\n" "$_IP"
>>> fi
>>> exit 0
>>> root at raspberrypi:/etc#
>>> root at raspberrypi:/etc# reboot
>>> 
>>> 
>>> 
>> -- 
>> linux mailing list
>> linux at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/linux
> 
> -- 
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

More information about the linux mailing list