Simple Linux Firewall
I was looking for a simple Linux firewall script for my Linux box, but every script that i come across had a lot of wizards and too complex to understand.
Simple Linux firewall script
I’m going to explain how to add this script on startup on Debian Linux. Since iptables initscript is deprecated we need to put this script in /etc/init.d directory
vi /etc/init.d/firewall
#! /bin/sh
# Select interfaces for which you want to apply this firewall
INTERFACES="eth0 eth1"
start_firewall() {
set -x
# Load needed kernel modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Clear any existing firewall stuff before we start
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# As the default policies, drop all incoming traffic but allow all
# outgoing traffic. This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
# Allow all incoming traffic if it is coming from the local loopback device
iptables -A INPUT -i lo -j ACCEPT
# Related and established connections: see
# <a href=http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html>http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html</a>
#
# Accept all incoming traffic associated with an established
# connection, or a "related" connection
#
# This will automatically handle incoming UDP traffic associated with
# DNS queries, as well as PASSIVE mode FTP (provided the ip_conntrack_ftp module is loaded)
for f in $INTERFACES
do
iptables -A INPUT -i $f -m state --state ESTABLISHED,RELATED -j ACCEPT
done
# Allow connections on selected ports to the firewalled computer:
# 22 ssh
# 80 web
# 25 smtp (mail)
for f in $INTERFACES
do
iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 25 -m state --state NEW -j ACCEPT
done
# Allow icmp input so that people can ping us but limit it to 10/sec
iptables -A INPUT -p icmp -m limit --limit 10/second -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
# Logging: first, eliminate any packets that are going to broadcast
# addresses, since they will overwhelm the log files if there are any
# windows computers on our network. Also, don't log pesky multicast
# packets that we block.
iptables -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP
iptables -A INPUT -d 224.0.0.1 -j DROP
# Log all other blocked packets, and change DROP to REJECT to be
# polite and allow people connecting to a blocked port to receive a
# "connection refused" message instead of timing out after 30 seconds.
iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT
}
stop_firewall() {
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
}
case "$1" in
start)
echo -n "Starting firewall:"
start_firewall
echo " done."
;;
stop)
echo -n "Stopping firewall:"
stop_firewall
echo " done."
;;
restart)
$0 stop && $0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esacNow we need to make it executable and set it to start on boot
chmod +x /etc/init.d/firewall update-rc.d firewall defaults
All you need is to do is choose your interfaces you want the simple firewall to apply, and choose which ports you want to open.
iptables project: http://netfilter.org/projects/iptables/index.html
Thank you for such a nice tutorial.
I just wrote a different kind of tutorial on how to set up Arno IPTABLES firewall.
May be it may help someone to setup his own firewall based on IPTABLES.
You can find some examples for a mail server and for a Proxy server using SNAT and port forwarding.
The location of my tutorial is here:
http://cosmolinux.no-ip.org/raconetlinux2/arno_iptables_firewall.html
I wish it is useful to someone.