This article describes how to setup a basic firewall configuration on your linux box with iptables.
Check your current setup with:
sudo iptables -L
Reset the default firewall rules:
sudo iptables -F
Setup the most basic firewall with the script below. This script only allows ssh connections (which are being logged in /var/log/syslog); adjust the script to allow communications through other ports.
Both the OUTPUT and INPUT chain have a default log rule at the end of the chain.
#!bin/sh IPTABLES=/sbin/iptables $IPTABLES -F ### Set default policies for INPUT, OUTPUT and FORWARD chain to DROP $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP ####### INPUT chain ###### ### State tracking rules $IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options $IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ### ACCEPT rules for connections in $IPTABLES -A INPUT -p tcp --dport 22 -j LOG --log-prefix "SSH CONNECTION" $IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT ### default INPUT LOG rule $IPTABLES -A INPUT -j LOG --log-prefix "LOG " --log-ip-options --log-tcp-options ####### OUTPUT chain ###### ### State tracking rules $IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options $IPTABLES -A OUTPUT -m state --state INVALID -j DROP $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ### ACCEPT rules for connections out $IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT ### default OUTPUT LOG rule $IPTABLES -A OUTPUT -j LOG --log-prefix "LOG " --log-ip-options --log-tcp-options
Saving your iptables configuration (answer Yes to both questions):
sudo apt-get install iptables-persistent
Start the persistency service:
sudo service iptables-persistent start
Changes to your configuration can be stored by using the command
sudo service iptables-persistent save
Or reload the current configuration:
sudo service iptables-persistent reload
More detailed information can be found here.
