Revisions to Iptables: Securing a Linux system by limiting all traffic to one static IP and loopback, using Iptables

refined iptables rules to add https

Source Link

edited Oct 2, 2017 at 8:26

117
1
2
8

Iptables for normal usage (no dns, no https, no http to external ips, only to my static ip X.X.X.X)

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A OUTPUT -i lo -j ACCEPT

#Allow traffic from address $STATIC_IPX.X.X.X
-A INPUT -s $STATIC_IPX.X.X.X -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Reject everything else
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT

Edit: Added rules to allow DNS and Apt-Get updates,HTTP,HTTPS (ports 53required for downloading new packges from the distro mirros, and 80for resolving host names to IP)

Note the additional rule for loopback to prevent spoofing (see discussion below)

-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

Iptables rules for updating and installing packages

*filter

#Allow all loopback (lo0) traffic and reject traffic
#to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
-A OUTPUT -o lo -j ACCEPT

#Allow traffic from address X.X.X.X (replace with static ip)
-A INPUT -i eth0 -s X.X.X.X -j ACCEPT
-A OUTPUT -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Allow DNS
-A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp --sport 53 -m conntrack --ctstate ESTABLISHED,RELATED -j 
 ACCEPT

#Allow traffic from distro mirrosHTTP
-A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Allow HTTPS
-A OUTPUT -o eth0 -p tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

#Reject everything else
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j DROP

COMMIT

At the moment, my solution is to alternate between these 2 rules, using the first rule for normal usage, and changing to the 2nd (with DNS, HTTP and HTTPS) for updating and installing packages.

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A OUTPUT -i lo -j ACCEPT

#Allow traffic from address $STATIC_IP
-A INPUT -s $STATIC_IP -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Reject everything else
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT

Edit: Added rules to allow DNS and Apt-Get updates (ports 53 and 80)

*filter

#Allow all loopback (lo0) traffic and reject traffic
#to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

#Allow traffic from address X.X.X.X (replace with static ip)
-A INPUT -i eth0 -s X.X.X.X -j ACCEPT
-A OUTPUT -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Allow DNS
-A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --sport 53 -m conntrack --ctstate ESTABLISHED,RELATED -j 
 ACCEPT

#Allow traffic from distro mirros
-A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED,RELATED -j 
ACCEPT

#Reject everything else
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j DROP

COMMIT

Iptables for normal usage (no dns, no https, no http to external ips, only to my static ip X.X.X.X)

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A OUTPUT -i lo -j ACCEPT

#Allow traffic from address X.X.X.X
-A INPUT -s X.X.X.X -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Reject everything else
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT

Edit: Added rules to allow DNS,HTTP,HTTPS (required for downloading new packges from the distro mirros, and for resolving host names to IP)

Note the additional rule for loopback to prevent spoofing (see discussion below)

-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

Iptables rules for updating and installing packages

*filter

#Allow all loopback (lo0) traffic and reject traffic
#to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
-A OUTPUT -o lo -j ACCEPT

#Allow traffic from address X.X.X.X
-A INPUT -i eth0 -s X.X.X.X -j ACCEPT
-A OUTPUT -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Allow DNS
-A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT

#Allow HTTP
-A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT

#Allow HTTPS
-A OUTPUT -o eth0 -p tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

#Reject everything else
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j DROP

COMMIT

At the moment, my solution is to alternate between these 2 rules, using the first rule for normal usage, and changing to the 2nd (with DNS, HTTP and HTTPS) for updating and installing packages.

added iptable with option to apt-get update by opening ports 53 and 80

Source Link

edited Oct 2, 2017 at 6:55

Joey

117
1
2
8

I have a static IP (on my home pc), is it enough to secure a remote server for my own usage (from my home, static ip, to remote server) using the following rule?

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

#Allow traffic from address $STATIC_IP
-A INPUT -s $STATIC_IP -j ACCEPT
-A OUTPUT -d $STATIC_IP -j ACCEPT

#Reject everything else
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT

Edit: This is my final Iptables per Egor Vasilyvev answer

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A OUTPUT -i lo -j ACCEPT

#Allow traffic from address $STATIC_IP
-A INPUT -s $STATIC_IP -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Reject everything else
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT

Edit: Added rules to allow DNS and Apt-Get updates (ports 53 and 80)

*filter

#Allow all loopback (lo0) traffic and reject traffic
#to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

#Allow traffic from address X.X.X.X (replace with static ip)
-A INPUT -i eth0 -s X.X.X.X -j ACCEPT
-A OUTPUT -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Allow DNS
-A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --sport 53 -m conntrack --ctstate ESTABLISHED,RELATED -j 
ACCEPT

#Allow traffic from distro mirros
-A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED,RELATED -j 
ACCEPT

#Reject everything else
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j DROP

COMMIT

I have a static IP (on my home pc), is it enough to secure a remote server for my own usage (from my home, static ip, to remote server) using the following rule?

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

#Allow traffic from address $STATIC_IP
-A INPUT -s $STATIC_IP -j ACCEPT
-A OUTPUT -d $STATIC_IP -j ACCEPT

#Reject everything else
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT

Edit: This is my final Iptables per Egor Vasilyvev answer

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A OUTPUT -i lo -j ACCEPT

#Allow traffic from address $STATIC_IP
-A INPUT -s $STATIC_IP -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Reject everything else
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT

I have a static IP (on my home pc), is it enough to secure a remote server for my own usage (from my home, static ip, to remote server) using the following rule?

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

#Allow traffic from address $STATIC_IP
-A INPUT -s $STATIC_IP -j ACCEPT
-A OUTPUT -d $STATIC_IP -j ACCEPT

#Reject everything else
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT

Edit: This is my final Iptables per Egor Vasilyvev answer

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A OUTPUT -i lo -j ACCEPT

#Allow traffic from address $STATIC_IP
-A INPUT -s $STATIC_IP -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Reject everything else
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT

Edit: Added rules to allow DNS and Apt-Get updates (ports 53 and 80)

*filter

#Allow all loopback (lo0) traffic and reject traffic
#to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

#Allow traffic from address X.X.X.X (replace with static ip)
-A INPUT -i eth0 -s X.X.X.X -j ACCEPT
-A OUTPUT -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Allow DNS
-A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --sport 53 -m conntrack --ctstate ESTABLISHED,RELATED -j 
ACCEPT

#Allow traffic from distro mirros
-A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED,RELATED -j 
ACCEPT

#Reject everything else
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j DROP

COMMIT

added final iptables from answer, helpful for anyone looking for make the same config

Source Link

edited Oct 1, 2017 at 14:30

Joey

117
1
2
8

I have a static IP (on my home pc), is it enough to secure a remote server for my own usage (from my home, static ip, to remote server) using the following rule?

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

#Allow traffic from address $STATIC_IP
-A INPUT -s $STATIC_IP -j ACCEPT
-A OUTPUT -d $STATIC_IP -j ACCEPT

#Reject everything else
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT

Edit: This is my final Iptables per Egor Vasilyvev answer

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A OUTPUT -i lo -j ACCEPT

#Allow traffic from address $STATIC_IP
-A INPUT -s $STATIC_IP -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Reject everything else
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT

I have a static IP (on my home pc), is it enough to secure a remote server for my own usage (from my home, static ip, to remote server) using the following rule?

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

#Allow traffic from address $STATIC_IP
-A INPUT -s $STATIC_IP -j ACCEPT
-A OUTPUT -d $STATIC_IP -j ACCEPT

#Reject everything else
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT

I have a static IP (on my home pc), is it enough to secure a remote server for my own usage (from my home, static ip, to remote server) using the following rule?

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

#Allow traffic from address $STATIC_IP
-A INPUT -s $STATIC_IP -j ACCEPT
-A OUTPUT -d $STATIC_IP -j ACCEPT

#Reject everything else
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT

Edit: This is my final Iptables per Egor Vasilyvev answer

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A OUTPUT -i lo -j ACCEPT

#Allow traffic from address $STATIC_IP
-A INPUT -s $STATIC_IP -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Reject everything else
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT

clarification

Source Link

edited Sep 30, 2017 at 16:08

Joey

117
1
2
8

Loading

Source Link

asked Sep 30, 2017 at 16:02

Joey

117
1
2
8

Loading

Stack Exchange Network

Return to Question