Configuring iptables

If you have a Linux box on the Internet, be assured there are people out there who will attempt to attack, break into or otherwise mess with your system.

You can use "packet filtering" software on Linux to, well, filter the network packets coming into or out of your system. iptables is the most recent version of the Linux packet filtering tools and ipchains was used before.

This article is about configuring a "firewall" for a standalone Linux system, such as a home Web server. If you want to configure a dedicated firewall system for a LAN, you will need more help than I can offer, but this might still be useful.

Before attempting to write your own firewall script (i.e. defining your iptables rules) make sure you read one of the many tutorials on iptables or ipchains to understand the concept of chains (see the resources listed below).

After just installing iptables, it will have no rules on the INPUT, OUTPUT or FORWARD chains:

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

And the default policy on each chain is "ACCEPT", which means there are no restrictions: any incoming and any outgoing packets are allowed.

We want to connect to any address and port from our system, so we'll leave the OUTPUT chain to ACCEPT all outgoing connections. However, we don't anyone to connect to our server unless we specify which ports are open, etc, so let's DROP everything on the INPUT and FORWARD chains. Our initial minimal firewall script will look like this:

iptables -F
iptables -X

iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -P INPUT DROP

With these initial rules, we can connect to any other servers, but nobody can connect to us. But now our system is so "safe", it's almost useless! Since no-one can connect to us, it also means when we connect to someone else, they can't even reply! So the next step is to add a rule to the script to tell iptables to allow incoming packets only if they are related to a connection that we established:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Now we can browse Web sites, check mail, etc, but no one can establish a new connection to our machine. This is useful for a workstation setup, but since we're running a Web server, we need to allow incoming connections only for the HTTP port (port 80). Let's also allow people to ping us (icmp protocol):

iptables -A INPUT -i eth0 -p tcp --dport http -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -j ACCEPT

Now you just continue in this way to open the ports you want to allow (smtp, pop3, ssh etc). You can also configure iptables to log invalid packets, etc.

Once you're done with your firewall script, you can configure iptables to automatically load the new changes after reboots:

# iptables-save > /etc/sysconfig/iptables

(taken from codeblast.com)

http://www.linuxguruz.com/iptables/

An excellent table of links, from everything to iptables FAQs to sample scripts and recommended rules.

Great post! Yeah I love IPTables, at this point I would put it up against just about any (statefull inpection) firewall out there as far as security and features.

Good stuff!

--P.G.

To be absolutly safe, you could just enter these rules:

I would just use a scisors and be absolutely sure... I mean what if your firewall crashed? Best not to let the evil Internet have any connection to the box. You should also make a tin-foil helmet to protect them from getting in directly to your Brain

--P.G.

make it easy by using shorewall !!