Before starting this blog I would like to say this is for people who have installed *nix in their notebooks.. Sorry to say I'm not much of a windows fan....
We all know *nix is a very secure operating system but using *iptables* we can make it more secure. So below is a simple script that will set up a simple firewall for a notebook.
First of all log in to your system and become the *root* (# su - )...
* I suggest that its best to have a *bin* directory in root's home.. So that you can store all your system related scripts inside that and can stop other users in the system from accessing them..
# mkdir /root/bin
* Open an empty file using the Vi editor (My favorite editor is 'Vi' but you can use your favorite editor ;) )
# vi /root/bin/firewall
* In the file type the following commands.. (you can simply copy & paste this and change accordingly)
#(defining the shell)
#!/bin/bash
#(define iptables location. depend on the system)
iptables='/sbin/iptables'
#(define network interfaces)
WIRED='eth0'
WIRELESS='eth1'
#(define loopback address)
LOOP='127.0.0.1'
#(First we should drop all tables)
$iptables -P OUTPUT DROP
$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -F
$iptables -t nat -F
$iptables -t mangle -F
#(define default policies)
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
$iptables-P FORWARD ACCEPT
# Prevent external packets from using loopback addr
$iptables -A INPUT -i $WIRED -s $LOOP -j DROP
$iptables -A FORWARD -i $WIRED -s $LOOP -j DROP
$iptables -A INPUT -i $WIRELESS -d $LOOP -j DROP
$iptables -A FORWARD -i $WIRELESS -d $LOOP -j DROP
# (Allow local loopback)
$iptables -A INPUT -s $LOOP -j ACCEPT
$iptables -A INPUT -d $LOOP -j ACCEPT
# Allow incoming pings (purely for diagnostic purposes)
$iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
#Put all the services you want outsiders to access (I allow only http and ssh)
$iptables -A INPUT -p tcp --dport 22 -j ACCEPT
$iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Keep state of connections from local machine and private subnets
$iptables -A OUTPUT -m state --state NEW -o $WIRED -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state NEW -o $WIRELESS -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
* Ok that's it.. Now save your file..
* We need this file to an executable. Try below for change the file permissions
# chmod 750 /root/bin/firewall
* To apply your file to the system..
# /root/bin/firewall
* To check the firewall settings..
# /sbin/iptables -L -n
* You may want to apply your firewall when your system startup. Most of the *nix system has a file call /etc/rc.local which runs custom scripts of the user at the end of multiuser runlevel. Simply add your script location to that (remember to give the full path to the script).
Ok this is how we configure a simple firewall for notebook users.. I'll try to follow this with a blog about simple measures you can take to secure your notebook from attacks.
Thursday, 23 August 2007
Thursday, 16 August 2007
Friday, 3 August 2007
Subscribe to:
Posts (Atom)