This article describes how to setup a basic firewall configuration on your linux box with iptables.

Check your current setup with:

sudo iptables -L

Reset the default firewall rules:

sudo iptables -F

Setup the most basic firewall with the script below. This script only allows ssh connections (which are being logged in /var/log/syslog); adjust the script to allow communications through other ports.

Both the OUTPUT and INPUT chain have a default log rule at the end of the chain.

#!bin/sh
IPTABLES=/sbin/iptables
$IPTABLES -F
### Set default policies for INPUT, OUTPUT and FORWARD chain to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
####### INPUT chain ######
### State tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for connections in
$IPTABLES -A INPUT -p tcp --dport 22 -j LOG --log-prefix "SSH CONNECTION"
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT

### default INPUT LOG rule
$IPTABLES -A INPUT -j LOG --log-prefix "LOG " --log-ip-options --log-tcp-options

####### OUTPUT chain ######
### State tracking rules
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for connections out
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT

### default OUTPUT LOG rule
$IPTABLES -A OUTPUT -j LOG --log-prefix "LOG " --log-ip-options --log-tcp-options

Saving your iptables configuration (answer Yes to both questions):

sudo apt-get install iptables-persistent

Start the persistency service:

sudo service iptables-persistent start

Changes to your configuration can be stored by using the command

sudo service iptables-persistent save

Or reload the current configuration:

sudo service iptables-persistent reload

More detailed information can be found here.

Share

Leave a Reply

Your email address will not be published.