[clug] iptables on R Pi
Alex Satrapa
grail at goldweb.com.au
Tue Aug 6 16:15:37 MDT 2013
When it comes to building iptables firewalls, you might want to look at two "firewall building" tools:
- Firehol (my favourite)
- Shorewall
Firehol provides a "domain specific language" so that you can build firewall by specifying services rather than ports (i.e.: you specify "ftp" and the scripts take care of loading the FTP specific rules)
Alex
On 7 Aug 2013, at 00:15, Logan Ryan McLintock <u4955237 at anu.edu.au> wrote:
> Hi Jeff and David,
>
> Your tips have helped with my googling, and I think I have found what I am after - how obvious but to be in the Debian help docs - such a rookie
>
> https://wiki.debian.org/iptables
>
> If I follow these instructions, but delete this line:
>
> -A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT
>
> as I don't what SSH,
> then everything should be ok I think. I take it that 80 and 443 are just to let you surf the net? I will give it a go =)
>
> PS. Just installed Trisquel, and I love it!!! -- I will be switching to it from Linux Mint 15 -- the only problem with Trisquel thus far is no Australian server so updates/software package installs are slow.
>
> -)
>
> On 06/08/2013, at 9:56 PM, jm <jeffm at ghostgun.com> wrote:
>
>>
>> From memory there's a package called iptables-persistent or something similar that you can install to give you a consistent way to do this.
>>
>> Jeff.
>>
>> Logan Ryan McLintock wrote:
>>> Hello fellow CLUG genii,
>>>
>>> I am a newbie, and I would like to find a good way to set the iptables (firewall) for a Debian (Raspbian) Raspberry Pi. I am using the latest release.
>>>
>>> I have managed to 'drop' everything by changing the
>>> rc.local
>>> file, but I was wondering two things;
>>> 1) is there a better file to put the commands in, or is rc.local 'correct'
>>> 2) what is a better configuration (besides dropping it like its hot) for a standard R Pi 'desktop using ether Internet' - not a server
>>>
>>> What I have done is shown below -- Sorry for the pile of commands, I just thought it would make more sense.
>>>
>>> PS. I searched the Internet, but it quickly gets confusing as there are lots of different distros and servers etc.
>>>
>>> Thank you lots,
>>>
>>> C u on Thursday
>>>
>>> Logan -) cyclops
>>>
>>> %%%%%%%%%%%%% my commands %%%%%%%%%%%%%%%%
>>>
>>> root at raspberrypi:/home/pi# iptables -L -n -v
>>> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>>> pkts bytes target prot opt in out source destination
>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>> pkts bytes target prot opt in out source destination
>>> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>>> pkts bytes target prot opt in out source destination
>>> root at raspberrypi:/home/pi#
>>> root at raspberrypi:/home/pi# iptables -P INPUT DROP
>>> root at raspberrypi:/home/pi# iptables -P FORWARD DROP
>>> root at raspberrypi:/home/pi# iptables -P OUTPUT DROP
>>> root at raspberrypi:/home/pi#
>>> root at raspberrypi:/home/pi# iptables -L -n -v
>>> Chain INPUT (policy DROP 0 packets, 0 bytes)
>>> pkts bytes target prot opt in out source
>>> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>>> pkts bytes target prot opt in out source
>>> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
>>> pkts bytes target prot opt in out source
>>> root at raspberrypi:/home/pi#
>>> root at raspberrypi:/home/pi# cd /etc
>>>
>>> root at raspberrypi:/etc# iptables-save > /etc/iptables.conf
>>> root at raspberrypi:/etc# cat iptables.conf
>>> # Generated by iptables-save v1.4.14 on Fri Jul 26 14:17:19 2013
>>> *filter
>>> :INPUT DROP [0:0]
>>> :FORWARD DROP [0:0]
>>> :OUTPUT DROP [0:0]
>>> COMMIT
>>> # Completed on Fri Jul 26 14:17:19 2013
>>> root at raspberrypi:/etc#
>>> root at raspberrypi:/etc#
>>> root at raspberrypi:/etc# cat rc.local
>>> #!/bin/sh -e
>>> #
>>> # rc.local
>>> #
>>> # This script is executed at the end of each multiuser runlevel.
>>> # Make sure that the script will "exit 0" on success or any other
>>> # value on error.
>>> #
>>> # In order to enable or disable this script just change the execution
>>> # bits.
>>> #
>>> # By default this script does nothing.
>>> # Print the IP address
>>> _IP=$(hostname -I) || true
>>> if [ "$_IP" ]; then
>>> printf "My IP address is %s\n" "$_IP"
>>> fi
>>> exit 0
>>> root at raspberrypi:/etc#
>>> root at raspberrypi:/etc#
>>> root at raspberrypi:/etc# leafpad /etc/rc.local
>>> root at raspberrypi:/etc#
>>> root at raspberrypi:/etc# cat rc.local
>>> #!/bin/sh -e
>>> #
>>> # rc.local
>>> #
>>> # This script is executed at the end of each multiuser runlevel.
>>> # Make sure that the script will "exit 0" on success or any other
>>> # value on error.
>>> #
>>> # In order to enable or disable this script just change the execution
>>> # bits.
>>> #
>>> # Load iptables rules from this file
>>> iptables-restore < /etc/iptables.conf
>>> # Print the IP address
>>> _IP=$(hostname -I) || true
>>> if [ "$_IP" ]; then
>>> printf "My IP address is %s\n" "$_IP"
>>> fi
>>> exit 0
>>> root at raspberrypi:/etc#
>>> root at raspberrypi:/etc# reboot
>>>
>>>
>>>
>> --
>> linux mailing list
>> linux at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/linux
>
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
More information about the linux
mailing list