Linux Firewall with iptables

From JonDonym Wiki
Jump to: navigation, search

En2.png De2.png  Main Page | Debian Setup for Mixes

Firewall with iptables

It is recommended to use a restrictive firewall on your host system. Iptables is part of the Linux kernel. You may use a GUI tool for firewall setup or write a small script. We offer an example firewall script. You may copy & paste the code snippets. Copy the script to your server and make it executable.

Header of the script with default rules:

#!/bin/sh
IPT=/sbin/iptables
IFACE="eth0"
# clean up old settings
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -F
$IPT -X
# disable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
# set default policies
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# enable loopback 
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# allow established connections
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

If your server is monitored by your ISP, you have to enable ping answers (mostly). But we recommend using the mix monitoring port and not setting the following rule. In this case your server will not be visible for simple network scans. It's your choice.

# enable ICMP (not recommended)
$IPT -A INPUT -m state --state NEW -p icmp -j ACCEPT

The following rules increase the security of your SSH port. After 3 wrong login trials the IP address will be blocked for 120sec. You may get the same security with fail2ban.

# enable and secure SSH (please, adapt the port!!!)
$IPT -A INPUT -i $IFACE -p tcp --dport 22022 -m state --state NEW -m recent --set --name SSH
$IPT -A INPUT -i $IFACE -p tcp --dport 22022 -m state --state NEW -m recent --rcheck --seconds 120 --hitcount 4 --rttl --name SSH -j REJECT --reject-with tcp-reset
$IPT -A INPUT -i $IFACE -p tcp --dport 22022 -m state --state NEW -j ACCEPT

Enable Internet services for the host system and all vservers. For an entry mix you may use the following rules and replace 123.123.123.123 by the IP address of your mix (v)server:

# enable mix server
$IPT -A INPUT -i $IFACE -p tcp -d 123.123.123.123 --dport 443 -j ACCEPT
$IPT -A INPUT -i $IFACE -p tcp -d 123.123.123.123 --dport 80 -j ACCEPT
$IPT -A INPUT -i $IFACE -p tcp -d 123.123.123.123 --dport 6544 -j ACCEPT
# enable mix monitoring
$IPT -A INPUT -i $IFACE -p tcp -d 123.123.123.123 --dport 8080 -j ACCEPT

For middle and exit mixes you may restrict incoming connection to the IP address of the previous mix. Replace 234.234.234.234 by the IP address of the previous mix and 123.123.123.123 by the IP address of your mix (v)server:

# enable mix server
$IPT -A INPUT -i $IFACE -p tcp -d 123.123.123.123 -s 234.234.234.234 --dport 6544 -j ACCEPT 
# enable mix monitoring
$IPT -A INPUT -i $IFACE -p tcp -d 123.123.123.123 --dport 8080 -j ACCEPT

And, finally, drop all other:

$IPT -A INPUT -j DROP
Personal tools