Securing your Linux Workstation or Server

If you are interested in detail description of IP tables with examples of configuration please read following document.

Default iptables configuration:

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT

-A RH-Firewall-1-INPUT -p 50 -j ACCEPT

-A RH-Firewall-1-INPUT -p 51 -j ACCEPT

-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited

---

Firewall rules are checked from the top to the bottom. Be careful not to block any traffic. Last line blocks all possible incoming traffic to your machine. This configuration allows all outgoing traffic and allows ssh connection (–dport 22) and traffic originated from your machine (-m state –state ESTABLISHED,RELATED).

To limit number of unsuccessful login attempt (password scanning) use ssh throttling: -A RH-Firewall-1-INPUT -p tcp -d 134.21.16.11 –dport 22 -m limit –limit 1/m –limit-burst 3 –syn -j ACCEPT

To add trusted machine add following line (before the last one):

-A RH-Firewall-1-INPUT -s 134.21.16.203 -d 0/0 -j ACCEPT It allows all traffic from IP 134.21.16.203 to any destination address 0/0 (you can put as well your IP address here).

To add trusted network (134.21.1.0 -134-21.1.255 in this example) add following line (before the last one):

-A RH-Firewall-1-INPUT -s 134.21.1.0/24 -d 0/0 -j ACCEPT It allows all traffic from IP 134.21.1.0 network to any destination address 0/0 (you can put as well your IP address here).

To open specific port on your machine (in this example http - port 80) add following line (before last one): -A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEP