Firewall for Single Host with Iptables
Firewall protects computers conneted to the internet by filtering incoming traffic. Every workstation and server should have a firewall, even if company has a firewall between internet and internal network. This howto has a simple iptables-based firewall for workstations and servers.
Update 2006-10-01: A more packaged solution is now available: firetero.
© 2003-2006 Tero Karvinen
This document has been translated to Hindi (pdf) by Amrit Bansal.
New: a contributed init.d script was added to links.
Why This Firewall
Iptables scales well for big firewalls. Even many hardware firewalls use iptables, or its predecessor ipchains. Because most Linux distros, such as Red Hat, have iptables pre-installed, you can start using it right away. However, many user interfaces for iptables suck big time. For example lokkit, Red Hats default tool for configuring iptables, does not show what rules user had before, overwrites manually made changes and offers many dangerous and useless options with little help.
The following shell script sets up a firewall, and stores it so that it is automatically loaded when computer boots. When you need to modify the firewall, just edit the script and run it again. The right moment to install a firewall is before computer is plugged to network for the first time. Simple per-host iptables firewall
Become root with su -. Save the script below to /root/bin/firewall.sh.
#!/bin/sh # firewall.sh - Configurable per-host firewall for workstations and # servers.(c) 2003 Tero Karvinen - tero karvinen at iki fi - GPL # Cleanup old rules # All the time firewall is in a secure, closed state iptables -P INPUT DROP iptables -P FORWARD DROP iptables --flush # Flush all rules, but keep policies iptables --delete-chain ## Workstation Minimal firewall ### iptables -P FORWARD DROP iptables -P INPUT DROP iptables -A INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT iptables -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT ####### HOLES ####### Edit holes below, then run this script again #iptables -A INPUT -p tcp --dport ssh -j ACCEPT #iptables -A INPUT -p tcp --dport http -j ACCEPT #iptables -A INPUT -p tcp --dport https -j ACCEPT ##################### Edit above iptables -A INPUT -j LOG -m limit --limit 40/minute iptables -A INPUT -j DROP # Save iptables-save > /etc/sysconfig/iptables echo ": Done."
Now run the script to install settings (do not type the #)
# chmod u+x /root/bin/firewall.sh # /root/bin/firewall.sh
It should say “firewall.sh: Done”. You can check your settings with iptables -L.
Well done, you have a firewall.
You can also share an internet connection with iptables and NAT.
Links
Johansen 2006: Teros Firewall as normal /etc/init.d script (local mirror)
Iptables Howto
Rustys’ iptables tutorial
Quicktables
Adminstrivia
Tested with Red Hat Linux 9 Shrike.
Changelog:
- 2006-08-18 Copywriting document. Linked to Johansens’ (2006) init.d version.
- 2003-11-19 Separated nat to its own document
- Earlier ChangleLog missing.
Copyright 2003-2006 Tero Karvinen. GNU Free Documentation License or GNU General Public License v2, user can choose either.