iptables script to block all internet access except for desired applications
CONTEXT:
I wanted to have a shell script that would block all Inbound/Outbound traffic to my computer, UNLESS I decide I want to use the browser or
-
I only started learning about iptables 2 days ago, so even though the sources of the original code is done by experienced coders, I am not 100% confident in my ability to put it all together to produced the desired result.
Coincidentally, I'm looking for the same solution around the same time and saw your post. Just sign-up SO, hope this could help you and others. I'm still learning and open to suggestion and advice :)
A few change to the code. I need to open all port to local connections to make it work. Also changed 192.168.0.1/24 to 192.168.0.0/16. This range allowed wifi/usb tether to be included.
# also allow local connections #TODO. Use log to see which port are actually needed. sudo iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT sudo iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPTIs the previous logic in order?
Change the order for/to this code.
#ONLY ACCEPTS INPUT THAT WAS INITIATED BY SOME OUTPUT sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #DROPS ALL INPUT and FORWARD sudo iptables -A INPUT -j DROP sudo iptables -A FORWARD -j DROPAlso add this code on top of previous code. These are taken from default firewall. Originally it contained specific interface.
sudo iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT sudo iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT sudo iptables -A INPUT -p udp -m udp --dport 67 -j ACCEPT sudo iptables -A INPUT -p tcp -m tcp --dport 67 -j ACCEPTI get 2 errors as follows:
ip6tables v1.6.0: host/network 127.0.0.1 not found Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.6.0: host/network 198.168.0.1 not found Try `ip6tables -h' or 'ip6tables --help' for more information.
Probably because you are using IP4 address. Change 127.0.0.1 to ::1/128 and 198.168.0.1 to fe80::/10. Can't help much about IPv6. I have no idea how it work and I don't think mine using IPv6 at all.
Complete Script:
#!/bin/sh #only allow apps run from "internet" group to run # clear previous rules sudo iptables -F # accept packets for internet group sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT sudo iptables -A OUTPUT -p udp -m owner --gid-owner internet -j ACCEPT #Some application need more port. Such as ping. sudo iptables -A OUTPUT -p icmp -m owner --gid-owner internet -j ACCEPT #Less secure. Open all port. #sudo iptables -A OUTPUT -m owner --gid-owner internet -j ACCEPT # also allow local connections #TODO. Use log to see which port are actually needed. sudo iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT sudo iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT # reject packets for other users sudo iptables -A OUTPUT -j REJECT #Taken from default rules. sudo iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT sudo iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT sudo iptables -A INPUT -p udp -m udp --dport 67 -j ACCEPT sudo iptables -A INPUT -p tcp -m tcp --dport 67 -j ACCEPT #ONLY ACCEPTS INPUT THAT WAS INITIATED BY SOME OUTPUT sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #DROPS ALL INPUT and FORWARD sudo iptables -A INPUT -j DROP sudo iptables -A FORWARD -j DROP #IPv6 Section # Flush ip6tables too sudo ip6tables -F # same process for IPv6: sudo ip6tables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT sudo ip6tables -A OUTPUT -p udp -m owner --gid-owner internet -j ACCEPT sudo ip6tables -A OUTPUT -d ::1/128 -j ACCEPT sudo ip6tables -A OUTPUT -d fe80::/10 -j ACCEPT sudo ip6tables -A OUTPUT -j REJECT sudo ip6tables -A INPUT -p udp -m udp --dport 53 -j ACCEPT sudo ip6tables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT sudo ip6tables -A INPUT -p udp -m udp --dport 67 -j ACCEPT sudo ip6tables -A INPUT -p tcp -m tcp --dport 67 -j ACCEPT sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT sudo ip6tables -A INPUT -j DROP sudo ip6tables -A FORWARD -j DROP讨论(0)
加载中...
- 热议问题