Firewall protects computers conneted to the internet by filtering incoming traffic. Every workstation and server should have a firewall, even if company has a firewall between internet and internal network. This howto has a simple iptables-based firewall for workstations and servers.
(c) 2003 Tero Karvinen
Iptables scales well for big firewalls. Even many hardware firewalls use iptables, or its predecessor ipchains. Because most Linux distros, such as Red Hat, have iptables pre-installed, you can start using it right away. However, many user interfaces for iptables suck big time. For example lokkit, Red Hats default tool for configuring iptables, does not show what rules user had before, overwrites manually made changes and offers many dangerous and useless options with little help.
The following shell script sets up a firewall, and stores it so that it is automatically loaded when computer boots. When you need to modify the firewall, just edit the script and run it again. The right moment to install a firewall is before computer is plugged to network for the first time.
Become root with su -. Save the script below to
/root/bin/firewall.sh.
#!/bin/sh # firewall.sh - Configurable per-host firewall for workstations and # servers.(c) 2003 Tero Karvinen - tero karvinen at iki fi - GPL # Cleanup old rules # All the time firewall is in a secure, closed state iptables -P INPUT DROP iptables -P FORWARD DROP iptables --flush # Flush all rules, but keep policies iptables --delete-chain ## Workstation Minimal firewall ### iptables -P FORWARD DROP iptables -P INPUT DROP iptables -A INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT iptables -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT ####### HOLES ####### Edit holes below, then run this script again #iptables -A INPUT -p tcp --dport ssh -j ACCEPT #iptables -A INPUT -p tcp --dport http -j ACCEPT #iptables -A INPUT -p tcp --dport https -j ACCEPT ##################### Edit above iptables -A INPUT -j LOG -m limit --limit 40/minute iptables -A INPUT -j DROP # Save iptables-save > /etc/sysconfig/iptables echo "$0: Done."
Now run the script to install settings (do not type the #)
# chmod u+x /root/bin/firewall.sh
# /root/bin/firewall.sh
It should say "firewall.sh: Done". You can check your settings with
iptables -L.
Well done, you have a firewall.
You can also share an internet connection with iptables and NAT.
Tested with Red Hat Linux 9 Shrike. TODO: Links iptables howto, Rustys tutorial, quicktables.
Copyright 2003-11-19 (Separated nat to its own document) Tero Karvinen. GNU Free Documentation License. XHTML Basic 1.0