etc/iptables/iptables-desktop.rulesΒΆ

Download file

# This file contains a basic set of rules to apply for an Internet client.
# Please adapt these rules to make them match what you use.


*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# IPv6: Disable processing of any RH0 packet to prevent ping-pong
-6 -A INPUT -m rt --rt-type 0 -j DROP
-6 -A FORWARD -m rt --rt-type 0 -j DROP
-6 -A OUTPUT -m rt --rt-type 0 -j DROP

##############################################################################
# INPUT filters

# Trust local loopback
-A INPUT -i lo -j ACCEPT

# Broadcast pings are allowed and produce replies in invalid states
-4 -A INPUT -p icmp -m icmp --icmp-type 0/0 -m limit --limit 2/sec -j ACCEPT
-6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129/0 -m limit --limit 2/sec -j ACCEPT

# Drop invalid packets
-A INPUT -m conntrack --ctstate INVALID -j DROP

# Drop DHCP requests but accept answers
-4 -A INPUT -p udp -m udp --sport 68 --dport 67 -j DROP
-4 -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT

# Drop DHCPv6 requests but accept answers
-6 -A INPUT -p udp -m udp --sport 547 --dport 546 -j DROP
-6 -A INPUT -p udp -m udp --sport 546 --dport 547 -j ACCEPT

# port range is in /proc/sys/net/ipv4/ip_local_port_range
# If conntrack is not available (old kernel), use -m state --state instead
-A INPUT -p tcp -m tcp --dport 32768:61000 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 32768:61000 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Most DNS resolvers (BIND, PowerDNS, ...) use their own ports numbers
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT

# If conntrack module is not available, state module doesn't work well for IPv6
# so use these rules instead
#-6 -A INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT
#-6 -A INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT


# ICMPv4 echo reply, dest unreachable, echo request, time exceeded, parameter problem
-4 -A INPUT -p icmp -m icmp --icmp-type 0/0 -j ACCEPT
-4 -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-4 -A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
-4 -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-4 -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT

# ICMPv6 dest unreachable, packet too big, time exceeded, parameter problem
-6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
# ICMPv6 echo request, echo reply
-6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT
-6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129/0 -j ACCEPT
# IPv6 Multicast Listener Query, Report and Done
-6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -j ACCEPT
-6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -j ACCEPT
-6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -j ACCEPT
# Neighbor Discovery Protocol: RS, RA, NS, NA
-6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133/0 -j ACCEPT
-6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j ACCEPT
-6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135/0 -j ACCEPT
-6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136/0 -j ACCEPT


# Accept SSH, HTTP, HTTPS, ... (activate only the ones needed)
#-A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT

# Accept NTP
-A INPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT


# Accept IGMP (multicast) and mDNS
#  224.0.0.1 = to all hosts
#  224.0.0.2 = to all routers
#  224.0.0.22 = IGMPv3
#  224.0.0.251 = mDNS
# TODO: use -m pkttype --pkt-type multicast -j ACCEPT ?
-4 -A INPUT -d 224.0.0.1/32 -p igmp -j ACCEPT
-4 -A INPUT -d 224.0.0.2/32 -p igmp -j ACCEPT
-4 -A INPUT -d 224.0.0.22/32 -p igmp -j ACCEPT
-4 -A INPUT -d 224.0.0.251/32 -p igmp -j ACCEPT
-4 -A INPUT -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -j ACCEPT
-6 -A INPUT -d ff02::fb/128 -p udp -m udp --sport 5353 --dport 5353 -j ACCEPT

# Accept NetBios
-A INPUT -p tcp -m multiport --dports 139,445 -j ACCEPT
-A INPUT -p udp -m udp --sport 137:138 --dport 137:138 -j ACCEPT

# Silently drop some LAN discovery services
-4 -A INPUT -p udp -m udp --sport 3483 --dport 3483 -m comment --comment "Slim Devices" -j DROP
-4 -A INPUT -p udp -m udp --sport 17500 --dport 17500 -m comment --comment "DropBox" -j DROP

# Silently drop unsollicited broadcast and multicast
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -m pkttype --pkt-type multicast -j DROP
# This rule is still here to really avoid rejecting an IPv4 broadcast
-4 -A INPUT -d 255.255.255.255/32 -j DROP

# Log to NetFilter, so that logs don't fills up and debugging is quick
#-A INPUT -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[IN DROP] "
-A INPUT -m limit --limit 1/sec --limit-burst 1000 -j NFLOG

# Reject packet, with some stats in iptables -nvL and ip6tables -nvL
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-6 -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
-4 -A INPUT -p icmp -j DROP
-6 -A INPUT -p ipv6-icmp -j DROP
-4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
-6 -A INPUT -j REJECT


##############################################################################
# OUTPUT filters

# These filters respect the symmetry of INPUT filters

-A OUTPUT -o lo -j ACCEPT
-4 -A OUTPUT -p udp -m udp --sport 67 --dport 68 -j DROP
-4 -A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-4 -A OUTPUT -p icmp -j ACCEPT
-6 -A OUTPUT -p ipv6-icmp -j ACCEPT

# Accept TCP reset and FIN+ACK
-A OUTPUT -p tcp -m tcp --tcp-flags RST RST -j ACCEPT
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -j ACCEPT

-4 -A OUTPUT -d 255.255.255.255/32 -j DROP
-4 -A OUTPUT -m conntrack --ctstate INVALID -j DROP

# Refuse to send emails directly through SMTP. Use SMTPS (port 587) to send mail.
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT

-A OUTPUT -p tcp -m tcp --sport 32768:61000 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 32768:61000 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT

#-A OUTPUT -p tcp -m multiport --sports 22,80,443 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT

-4 -A OUTPUT -d 224.0.0.1/32 -p igmp -j ACCEPT
-4 -A OUTPUT -d 224.0.0.2/32 -p igmp -j ACCEPT
-4 -A OUTPUT -d 224.0.0.22/32 -p igmp -j ACCEPT
-4 -A OUTPUT -d 224.0.0.251/32 -p igmp -j ACCEPT
-4 -A OUTPUT -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -j ACCEPT
-6 -A OUTPUT -d ff02::fb/128 -p udp -m udp --sport 5353 --dport 5353 -j ACCEPT

#-A OUTPUT -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[OUT DROP] "
-A OUTPUT -m limit --limit 1/sec --limit-burst 1000 -j NFLOG

# Reject other packets, with some stats in iptables -nvL and ip6tables -nvL
-A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
-4 -A OUTPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-6 -A OUTPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
-4 -A OUTPUT -j REJECT --reject-with icmp-proto-unreachable
-6 -A OUTPUT -j REJECT

COMMIT