How to Secure Your Linux Desktop with Iptables

Secure Linux Iptables

Linux may have a reputation for security, but it isn’t perfect. Many distributions also don’t have the best security defaults, so it’s best to implement some best practices for security. One such example is using a firewall.

There are a few options for firewalls in Linux, but most are actually just wrappers around iptables. For this guide we will show you how to work with iptables directly.

Iptables is the Linux kernel firewall. It comes with every Linux distribution, and it’s the most direct way to control traffic coming into and out of your computer.

Iptables has a reputation for being complex, and it can be. You don’t need to know everything about iptables to use it effectively on your desktop, though. You just need some basic knowledge of how it works and how its rules are structured.

All iptables rules follow the same basic structure. Each rule is a single-line command to iptables that tells it how to handle traffic on a specific port. Take a look at the example below:

That might look like a lot, but it’s really simple when you break it down. First, this rule begins with -A because it will append onto your iptables rules.

Next, the -i flag specifies the interface that the rule is for. In this case, it’s eth0. When you write your own rules, make sure that you know which interface you’re connected to your network through.

The following flag, -p, names the protocol. This rule is for tcp, which is Web traffic.

The -m flag is a little different. It is used to assert that there is a condition that must be met in order for traffic not to be rejected. The condition in this rule is the state.

State is actually the next flag. You need to give --state a list of acceptable states written in all caps and separated with commas. This rule accepts both new and established connections.

The second to last flag here is --sport. It stands for “source port,” and it tells iptables where the traffic is coming from. There is also a --dport flag that stands for “destination port.” It’s used for OUTPUT rules for handling which port traffic is arriving from.

Finally, there’s the -j flag. It tells iptable which action to “jump” to. In this case it should ACCEPT the traffic that meets the previous conditions.

You can enter your rules into iptables manually one by one. That’s incredibly tedious, and it’s very easy to lose track of where you are and what you’re doing. It’s much better to create a rules file that you can import into iptables all at once.

It doesn’t matter where you create the file. People even make them in the /tmp directory because iptables stores the result after it is imported.

Create your file. This guide is going to use /tmp/iptables-ip4. In the file add the following two lines. All of your rules will go between them.

You can start setting up your rules. These are just suggestions. Obviously, if you’re running other services or need other ports open, you can certainly tweak some things or add your own rules.

Loopback

The loopback interface is an internal interface that Linux uses.

Ping

This one is a matter of preference. Many people don’t like allowing ping at all on their desktops. It can be useful to have it, though, to test connections. If you want to allow ping, add the rules below. If you don’t, exclude them.

The Web

You obviously want to be able to connect to the Web. On the flip side of that, you don’t want to allow connections originating from the Internet.

You’re also going to need to allow DNS connections so that your computer can use URLs instead of only IP addresses because that wouldn’t be very convenient. Substitute your router’s IP address for the one used here.

Time

Most Linux desktops use NTP to set and maintain the system time from the Internet. You need to allow your computer to connect to an NTP server to get the time.

Printing

Unless you’re using a USB printer or an external print server, you need to enable connections to CUPS.

Email

You probably want to be able to send and receive email, too. Email can be tricky. The ports allowed here are the SSL email ports. If you need to use unsecured email, substitute those ports.

SSH

In order to fully utilize SSH connections, you need to be allow both input and output over SSH.

DHCP

Most Linux desktops use DHCP to automatically receive an IP address from a router. DHCP uses its own ports, so they need to be accessible too. If you’re using a static IP, you don’t need these rules.

Reject Everything Else

Finally, you’re going to tell iptables to reject absolutely everything that you didn’t explicitly allow in the rules above.

After everything, your rules should looks something like these.

iptables rules

You now have a fully-functional iptables rules list. You just need to hand it off to iptables to use.

In case some rules have been added over time, clear them out. After these commands, you’ll see the defaults that allow everything.

Iptables clear rules

With those gone, you can restore the new ones from the file that you created.

Your computer is now using the new iptables rules. You can check them out.

Iptables Rules List

However, they aren’t permanent yet. If you restart your computer now, you’re going to have a really bad time.

There are several ways to make the rules permanent. They’re different for each distribution. This guide is going to focus on Debian- and Ubuntu-based systems, since they’re the most popular.

There is a package available, called iptables-persistant, that handles saving and restoring iptables. All you have to do is install it.

Save Iptables Rules

During the installation, the package will ask you if you want to save your configuration. Select “Yes.”

In the future, if you want to add rules, you can save again by running the following command.

You are now in control of the traffic flowing through your computer. There is certainly more that you can do with iptables, but you should feel confident with the basics first.

5 comments

  1. Does IPTables give the use better control than ufw, Shorewall or FirewallD?

    In the example you provided at the beginning, What is the meaning/definition of ‘state’, ‘established’ and ‘related’?

    Can I use the rules you have provided on my system ‘as is’ or do I have to tweak then for my PC/distro?

    Would I want to use all the rules you have provided?

    • Yes and no. Personally, I find iptables to be the most direct, since it’s from the kernel itself, but the others aren’t bad. Ufw is just a wrapper on iptables, actually.

      State refers to the state of the connection. In that case, iptables should only accept already established connections or connections related to them.

      You absolutely can use this configuration as-is, but a lot depends on which programs you’re running. I tried to cover the basics, but no two desktops are the same. For example, if you’re running something like Steam, you have to add some rules for that too.

      The rules that I provided are good for the services that they cover. Honestly, they’re somewhat restrictive because they only cover those services(That’s really how iptables works). If you’re running anything else that uses Unix ports, you need to add rules for it. Those rules are a core that you can build on.

  2. For an exhaustive, if dry and technical, manual on iptables, do an Internet search for “iptables-tutorial.pdf”. The download is free. There are other iptables tutorials and manuals to be found on the ‘Net but most of them refer only to specific cases or provide only the basic commands without much, if any, explanations. The “Iptables Tutorial”, on the other hand, is a 460 page book by Oskar Andreasson in which he explains all the whys and wherefores, every term and every option in minute detail. It can be used as a tutorial or as a reference manual.

    Using Iptables to protect one’s system is not a endeavor for newbies and/or casual users of Linux. However, for those who wish to get up close and personal with their Linux O/S, Oskar Andreasson’s book makes things much easier.

  3. Umm, rules in OUTPUT chain in filter table is bad idea … especially on desktop (it makes some sense on servers). You never know what port you need to connect to. (BitTorrent?, vpn?, proxy? and who knows what more). Besides why do you want to restrict yourself?
    Second, you can 2 rules on top of the chain 1. Accept all related and established connections; 2 drop all invalid connections. That way you don’t repeat needlessly same statement again and again
    Third, state module is deprecated for a long time already. Use conntrack.

    All in all this whole hardening will fit in max 10 lines.

Comments are closed.

Sponsored Stories