Using IPTABLES

Basic/default iptables configuration:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Rules should be added in the order of least restrictive to most restrictive.

• Create additional chains (iptables -N [chain name])
  • iptables -N LOG_DROP
  • iptables -N LOG_REJECT
• Allow already existing connections to persist
  • iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
• Allow ICMP traffic from anywhere
  • iptables -A INPUT -p icmp -j ACCEPT
• Allow all traffic from the local device
  • iptables -A INPUT -i lo -j ACCEPT
• Allow all traffic from a specified network
  • iptables -A INPUT -s 10.20.150.0/255.255.255.0 -j ACCEPT
• Allow new SSH traffic from a specified network
  • iptables -A INPUT -s 216.128.150.0/255.255.255.0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
• Allow new traffic for certain ports from anywhere
  • iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 5060 -j ACCEPT
  • iptables -A INPUT -p udp -m state --state NEW -m udp --dport 5060 -j ACCEPT
• Drop or Reject any other traffic
  • First rule redirects any traffic not already covered by an existing rule to another chain
    • iptables -A INPUT -j LOG_REJECT
    • iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    • iptables -A LOG_DROP -j LOG --log-prefix "INPUT:DROP: " --log-level 6
    • iptables -A LOG_DROP -j DROPiptables -A LOG_REJECT -j LOG --log-prefix "INPUT:REJECT: " --log-level 6
    • iptables -A LOG_REJECT -j REJECT --reject-with icmp-host-prohibited
• Insert a rule at a specific line
  • First determine line numbers using the --line-numbers modifier
    • iptables -I [chain name] [line number] [firewall rule]
    • iptables -I INPUT 6 -p tcp -m state --state NEW -m tcp --dport 5060 -j ACCEPT
• Deleting rules
  • Rules can be deleted by entering the full line, or referencing a chain and line number
    • iptables -D [chain name] [full rule text]
    • iptables -D [chain name] [line number]

Persistant IPTables rules without iptables-persist

To make sure the iptables rules are started on a reboot we'll create a new file:

nano /etc/network/if-pre-up.d/iptables

Add these lines to it:

 #!/bin/sh

 /sbin/iptables-restore < /etc/iptables.up.rules

The file needs to be executable so change the permissions:

chmod +x /etc/network/if-pre-up.d/iptable

https://www.frozentux.net/iptables-tutorial/chunkyhtml/x4571.html

https://wiki.debian.org/iptables

IP6Tables

Default ip6tables configuration

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p ipv6-icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited