Set up firewalls with iptables

EDIT 06 / 08 / 2015: Article updated

Today many people ask if up Android software is required antivirus, well the answer is no, you'll notice more CPU, RAM and battery consumption remaining in the background with an active service.
If you download content from the Play Store you don't have to worry, if you download from a third party, you should enable the Google scanner.
We're going to configure a firewall on Android, nobody talks about it ...

What is a firewall?
It is not an Antivirus, and serves to "regulate" the outgoing and incoming connections of our devices
We can create rules, for example:
22 port: Accept entry / exit
Port xx: Decline entry / exit

(ports go from 1 to 65535)
Conditions ESTABLISHED or RELATED (These conditions occur when we surf the web, a connection is established with the website): Accept entry / exit
If no other rules are set for the others, the firewall rejects incoming / outgoing connections so others will not be able to communicate with us.

What will we use?
First of all, the guide it is compatible with any device with a Linux kernel> = 2.6, but by now I believe it is difficult to find devices with a lower version than 2.6.x.
From the 2.6 version, in fact, the Linux kernel natively has a tool called iptables which allows you to configure a firewall.
In the case of Android we use an iptables frontend, if you want to configure on a PC, you have to use the command line.
There are graphical frontends also for the other distros but I always recommend the CLI

For Android: click here

Procedure for Desktop PC with any GNU / Linux distro
We open our terminal (Terminator, gnome-terminal, xfce4-terminal, konsole, urxvt ...)
We get root permissions:

$ sudo su

or

$ su

We set the first two rules:

# iptables -P INPUT DROP
# iptables -P FORWARD DROP

In this way we are saying to iptables by isolate ourselves from the outside world 🙂
-A represents the table on which to set the rule and DROP indicates to reject the requests

We set the rule to enable internal communications via the interface lo

# iptables -A INPUT -i lo -j ACCEPT

-i indicates a specific interface which can be wlan0, wlp7s0, enp9s0, eth0 or so or any other
-j indicates what the firewall should do
"Translating": on the input table, interface it accepts requests

Then we set the rule that allows us to allow connections that have been ESTABLISHED or RELATED

# iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT

Now, connections with ESTABLISHED or RELATED status are allowed.
Basically, the basic configuration is complete, but it is possible to do many other things, for example accepting a request on a specific port (if not specified the connection will be refused indefinitely)
For example I have an SSH server so I want to allow connection on the 22 tcp

# iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Finally, to make the changes effective

# iptables-save> /etc/iptables/iptables.rules

We enable service at startup

# systemctl enable iptables

(Systemd)
If you are using OpenRC

# rc-update add iptables default

(OpenRC)

# reboot

Check that everything is OK after reboot:

# iptables -L -n

Let's move on to Android
We open Firewall Rules Builder, if it's the first time you use it it will guide you in a tutorial, complete it and restart the app

As soon as you open the app, you will be asked whether to set the rules for

  • Iptables
  • Cisco ACL
  • RouterOS

From the drop-down menu we select Iptables, then we will be directed to the second activity
init_input_drop_

Let's scroll down ...
init_input_drop_1

We set the rules:
We request a new POLICY for the INPUT table, with DROP rule:

  1. At the beginning, in command, we click on the drop-down menu and select Policy
  2. In table, always from the drop-down menu we select INPUT
  3. At the end in Target, always from the drop-down menu we select DROP
  4. Tap on button: Generate Command

Other Activity ...
show_command
Which shows us the command generated, so to apply the changes we add the command to the command database, click on Add to DB

We repeat the operations for the FORWARD table

We set the rules for ESTABLISHED, RELATED connection states; the interface lo

Interface lo

    1. Command: Append
    2. Table: INPUT
    3. Protocol: we press on the "All:" checkbox
    4. In-interface: lo
    5. Target: ACCEPT
    6. Generate command
    7. Add to the command database

ESTABLISHED States, RELATED

      1. Command: Append
      2. Table: INPUT
      3. Protocol: Checkbox: All
      4. State: Checkbox (select) ESTABLISHED, RELATED
      5. Target: Accept
      6. Generate command
      7. Add to the database

Finally, we ask you to show the database by tapping on Show DB, this is the final result
final_rules

Receive the latest posts by email

Enter the email and choose the inscriptions on the new page