Raspberry Pi Forums

Posted: **Sun Apr 05, 2015 7:16 am**

Greetings.
As there is a neighbor thread about password and authentication (http://www.raspberrypi.org/forums/viewt ... 22#p733622), I think there should also be a thread about firewall rules.

Any suggestion is great. Thanks for posting them~

I'm using Pi as the gateway to Internet:
LAN => Pi => PPPoE => ISP
I'm not defending a nuclear attack, just don't want public see my secret directory.

I read a HOWTO on IP Masq: http://tldp.org/HOWTO/IP-Masquerade-HOWTO/
and check its example firewall rule set at section 6.4

The rule I learned is that, in English: Except for ICMP, I would listen to nobody unless I talked first.
So I wrote an iptables rule set like this:

Code: Select all

#!/bin/bash

IPTABLES="/sbin/iptables"

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

# pppd auto-generated line clone
$IPTABLES -t mangle -o "$PPP_IFACE" --insert FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu

$IPTABLES -A INPUT '!' -i "$PPP_IFACE" -j ACCEPT
$IPTABLES -A FORWARD '!' -i "$PPP_IFACE" -j ACCEPT

$IPTABLES -A INPUT -i "$PPP_IFACE" -p icmp -j ACCEPT
$IPTABLES -A INPUT -i "$PPP_IFACE" -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i "$PPP_IFACE" -p icmp -j ACCEPT
$IPTABLES -A FORWARD -i "$PPP_IFACE" -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o "$PPP_IFACE" -j MASQUERADE

I put this in /etc/ppp/ip-up.d/firewall, so when pppd get connected, it would be executed automatically.

As this is the first iptables rule set I've ever wrote, do I missed something important?
Again, any suggestion is great, thanks for posting them!

Posted: **Sun Apr 05, 2015 7:51 am**

sudo apt-get install ufw

use UFW to do all of that stuff without needing to understand any of the overly complex parms for iptables or iptables6.

Raspberry Pi Forums

Suggestions on firewall rules ?

Suggestions on firewall rules ?

Re: Suggestions on firewall rules ?