Basic Desktop Firewall

Here are a few example firewalls for a desktop Linux system.

Page Contents

Basic Rules for Most Desktops
- iptables
- ip6tables
Basic Rules for Laptops
- iptables
- ip6tables

Basic Rules for Most Desktops

Since most desktop computers do not run any services, the following sets of rules are sufficient for most users on a private network:

iptables

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

ip6tables

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

Basic Rules for Laptops

Since a laptop roams from network to network, we must assume that it will encounter hostile networks from time to time. For this reason, I recommend a harder network configuration that drops unexpected packets, does not respond to ping, and drops outgoing SNMP packets (which would give away the presence of the CUPS print server if the laptop is configured for printing anywhere).

iptables

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp --dport 161 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p udp --dport 162 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p udp --dport 10161 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p udp --dport 10162 -j REJECT --reject-with icmp-port-unreachable
COMMIT

ip6tables

Note that IPv6 connectivity requires parts of the ICMP protocol to be enabled in order to work properly. At a minimum, we need neighbor advertisement, neighbor solicitation, and router advertisement working to be able to roam onto an IPv6 network. Some other ICMPv6-based packets, such as error replies, are implicitly enabled by accepting RELATED and ESTABLISHED traffic.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type neighbor-advertisement -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type neighbor-solicitation -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type router-advertisement -j ACCEPT
-A OUTPUT -p udp --dport 161 -j REJECT --reject-with icmp6-adm-prohibited
-A OUTPUT -p udp --dport 162 -j REJECT --reject-with icmp6-adm-prohibited
-A OUTPUT -p udp --dport 10161 -j REJECT --reject-with icmp6-adm-prohibited
-A OUTPUT -p udp --dport 10162 -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.