I've got a raspberry pi set up to send me periodic emails. As it's connected to the internet 24/7, I need IPTables set up properly.
I want to allow incoming SSH and allow emails to send out on port 587 via SMTP. I've came up with this IPTables script, is it correct? If not, can you tell me why. Thanks.
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT
sudo iptables -A INPUT -p tcp --sport 587 -j ACCEPT
A iptables rule like this works fine
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:156]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
The first rule DROP by default all incoming connection the second DROP by default all forwarding the third ACCEPT the output,why accept?Is not too unsafe imho to make open the output connections,close it can make the firewall configuration a little difficult.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Accept the connection with state RELATED and established state
the rest is easy
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
accept 22 tcp,accept 587 tcp and forbid all the other connections, you can save on file and then do
iptables-restore < firewall.file
And check it with nmap -sS your host
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments