Tero Karvinen - Articles - Downloads - Courses - Contact

Table of Contents

Firewall for Single Host with Iptables

Firewall protects computers conneted to the internet by filtering incoming traffic. Every workstation and server should have a firewall, even if company has a firewall between internet and internal network. This howto has a simple iptables-based firewall for workstations and servers.

Update 2006-10-01: A more packaged solution is now available: firetero.

© 2003-2006 Tero Karvinen

This document has been translated to Hindi (pdf) by Amrit Bansal.

New: a contributed init.d script was added to links.

Why This Firewall

Iptables scales well for big firewalls. Even many hardware firewalls use iptables, or its predecessor ipchains. Because most Linux distros, such as Red Hat, have iptables pre-installed, you can start using it right away. However, many user interfaces for iptables suck big time. For example lokkit, Red Hats default tool for configuring iptables, does not show what rules user had before, overwrites manually made changes and offers many dangerous and useless options with little help.

The following shell script sets up a firewall, and stores it so that it is automatically loaded when computer boots. When you need to modify the firewall, just edit the script and run it again. The right moment to install a firewall is before computer is plugged to network for the first time. Simple per-host iptables firewall

Become root with su -. Save the script below to /root/bin/firewall.sh.

#!/bin/sh
# firewall.sh - Configurable per-host firewall for workstations and
# servers.(c) 2003 Tero Karvinen - tero karvinen at iki fi - GPL
# Cleanup old rules # All the time firewall is in a secure, closed state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables --flush        # Flush all rules, but keep policies 
iptables --delete-chain
## Workstation Minimal firewall ###
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT 
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
####### HOLES ####### Edit holes below, then run this script again
#iptables -A INPUT -p tcp --dport ssh -j ACCEPT
#iptables -A INPUT -p tcp --dport http -j ACCEPT
#iptables -A INPUT -p tcp --dport https -j ACCEPT
##################### Edit above
iptables -A INPUT -j LOG -m limit --limit 40/minute
iptables -A INPUT -j DROP
# Save
iptables-save > /etc/sysconfig/iptables
echo ": Done."

Now run the script to install settings (do not type the #)

# chmod u+x /root/bin/firewall.sh
# /root/bin/firewall.sh

It should say “firewall.sh: Done”. You can check your settings with iptables -L.

Well done, you have a firewall.

You can also share an internet connection with iptables and NAT.

Links

Johansen 2006: Teros Firewall as normal /etc/init.d script (local mirror)

Iptables Howto

Rustys’ iptables tutorial

Quicktables

Adminstrivia

Tested with Red Hat Linux 9 Shrike.

Changelog:

Copyright 2003-2006 Tero Karvinen. GNU Free Documentation License or GNU General Public License v2, user can choose either.

Last modified: 2007-10-29. Permanent url: http://www.iki.fi/karvinen/iptables_firewall.html

Tero Karvinen www.iki.fi/karvinen - Top - Validate HTML - Validate CSS