Moved: LATEST VERSION OF THIS FIREWALL IS NOW http://www.iki.fi/karvinen/iptables_firewall.html
Firewall for Single Host with Iptables
Firewall protects computers conneted to the internet by filtering incoming
traffic. Every workstation and server should have a firewall, even if
company has a firewall between internet and internal network. This howto
has a simple iptables-based firewall for workstations and servers.
Moved: LATEST VERSION OF THIS FIREWALL IS NOW http://www.iki.fi/karvinen/iptables_firewall.html
(c) 2003 Tero Karvinen
Why This Firewall
Iptables scales well for big firewalls. Even many hardware firewalls use
iptables, or its predecessor ipchains. Because most Linux distros, such as Red Hat,
have iptables pre-installed, you can start using it right away. However, many
user interfaces for iptables suck big time. For example lokkit, Red Hats default
tool for configuring iptables, does not show what rules user had before, overwrites
manually made changes and offers many dangerous and useless options with little
help.
The following shell script sets up a firewall, and stores it so that it is
automatically loaded when computer boots. When you need to modify the firewall,
just edit the script and run it again. The right moment to install a firewall is
before computer is plugged to network for the first time.
Simple per-host iptables firewall
Become root with su -. Save the script below to
/root/bin/firewall.sh.
#!/bin/sh # firewall.sh - Configurable per-host firewall for workstations and # servers.(c) 2003 Tero Karvinen - tero karvinen at iki fi - GPL # Cleanup old rules # All the time firewall is in a secure, closed state iptables -P INPUT DROP iptables -P FORWARD DROP iptables --flush # Flush all rules, but keep policies iptables --delete-chain ## Workstation Minimal firewall ### iptables -P FORWARD DROP iptables -P INPUT DROP iptables -A INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT iptables -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT ####### HOLES ####### Edit holes below, then run this script again #iptables -A INPUT -p tcp --dport ssh -j ACCEPT #iptables -A INPUT -p tcp --dport http -j ACCEPT #iptables -A INPUT -p tcp --dport https -j ACCEPT ##################### Edit above iptables -A INPUT -j LOG -m limit --limit 40/minute iptables -A INPUT -j DROP # Save iptables-save > /etc/sysconfig/iptables echo "$0: Done."
Now run the script to install settings (do not type the #)
# chmod u+x /root/bin/firewall.sh
# /root/bin/firewall.sh
It should say “firewall.sh: Done”. You can check your settings with
iptables -L.
Well done, you have a firewall.
You can also share an internet connection with iptables and
NAT.
Tested with Red Hat Linux 9 Shrike. TODO: Links iptables howto, Rustys
tutorial, quicktables.
Copyright 2003-11-19 (Separated nat to its own document) Tero
Karvinen. GNU Free Documentation License.
XHTML Basic 1.0