Firewall for Single Host with Iptables

Moved: LATEST VERSION OF THIS FIREWALL IS NOW http://www.iki.fi/karvinen/iptables_firewall.html

Firewall for Single Host with Iptables

Firewall protects computers conneted to the internet by filtering incoming
traffic. Every workstation and server should have a firewall, even if
company has a firewall between internet and internal network. This howto
has a simple iptables-based firewall for workstations and servers.

Moved: LATEST VERSION OF THIS FIREWALL IS NOW http://www.iki.fi/karvinen/iptables_firewall.html

(c) 2003 Tero Karvinen

Why This Firewall

Iptables scales well for big firewalls. Even many hardware firewalls use
iptables, or its predecessor ipchains. Because most Linux distros, such as Red Hat,
have iptables pre-installed, you can start using it right away. However, many
user interfaces for iptables suck big time. For example lokkit, Red Hats default
tool for configuring iptables, does not show what rules user had before, overwrites
manually made changes and offers many dangerous and useless options with little
help.

The following shell script sets up a firewall, and stores it so that it is
automatically loaded when computer boots. When you need to modify the firewall,
just edit the script and run it again. The right moment to install a firewall is
before computer is plugged to network for the first time.

Simple per-host iptables firewall

Become root with su -. Save the script below to
/root/bin/firewall.sh.

#!/bin/sh
# firewall.sh - Configurable per-host firewall for workstations and
# servers.(c) 2003 Tero Karvinen - tero karvinen at iki fi - GPL
# Cleanup old rules # All the time firewall is in a secure, closed state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables --flush        # Flush all rules, but keep policies
iptables --delete-chain
## Workstation Minimal firewall ###
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
####### HOLES ####### Edit holes below, then run this script again
#iptables -A INPUT -p tcp --dport ssh -j ACCEPT
#iptables -A INPUT -p tcp --dport http -j ACCEPT
#iptables -A INPUT -p tcp --dport https -j ACCEPT
##################### Edit above
iptables -A INPUT -j LOG -m limit --limit 40/minute
iptables -A INPUT -j DROP
# Save
iptables-save > /etc/sysconfig/iptables
echo "$0: Done."

Now run the script to install settings (do not type the #)

# chmod u+x /root/bin/firewall.sh
# /root/bin/firewall.sh

It should say “firewall.sh: Done”. You can check your settings with
iptables -L.

Well done, you have a firewall.

You can also share an internet connection with iptables and
NAT
.

<< Back to homepage

Tested with Red Hat Linux 9 Shrike. TODO: Links iptables howto, Rustys
tutorial, quicktables.

Copyright 2003-11-19 (Separated nat to its own document) Tero
Karvinen
. GNU Free Documentation License.
XHTML Basic 1.0

Posted in Old Site | Tagged , , , , , | Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

  • Recent Posts

  • Picks

  • Boxing Clock for AndroidOcton8 Diving T-ShirtsShaking Tower Panda Android GameLearn Chinese with Android
  • Student projects