Simple Linux Firewall
I was looking for a simple Linux firewall script for my Linux box, but every script that i come across had a lot of wizards and too complex to understand.
Simple Linux firewall script
I’m going to explain how to add this script on startup on Debian Linux. Since iptables initscript is deprecated we need to put this script in /etc/init.d directory
vi /etc/init.d/firewall
#! /bin/sh # Select interfaces for which you want to apply this firewall INTERFACES="eth0 eth1" start_firewall() { set -x # Load needed kernel modules modprobe ip_conntrack modprobe ip_conntrack_ftp # Clear any existing firewall stuff before we start iptables --flush iptables -t nat --flush iptables -t mangle --flush # As the default policies, drop all incoming traffic but allow all # outgoing traffic. This will allow us to make outgoing connections # from any port, but will only allow incoming connections on the ports # specified below. iptables --policy INPUT DROP iptables --policy OUTPUT ACCEPT # Allow all incoming traffic if it is coming from the local loopback device iptables -A INPUT -i lo -j ACCEPT # Related and established connections: see # <a href=http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html>http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html</a> # # Accept all incoming traffic associated with an established # connection, or a "related" connection # # This will automatically handle incoming UDP traffic associated with # DNS queries, as well as PASSIVE mode FTP (provided the ip_conntrack_ftp module is loaded) for f in $INTERFACES do iptables -A INPUT -i $f -m state --state ESTABLISHED,RELATED -j ACCEPT done # Allow connections on selected ports to the firewalled computer: # 22 ssh # 80 web # 25 smtp (mail) for f in $INTERFACES do iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 80 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 25 -m state --state NEW -j ACCEPT done # Allow icmp input so that people can ping us but limit it to 10/sec iptables -A INPUT -p icmp -m limit --limit 10/second -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT # Logging: first, eliminate any packets that are going to broadcast # addresses, since they will overwhelm the log files if there are any # windows computers on our network. Also, don't log pesky multicast # packets that we block. iptables -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP iptables -A INPUT -d 224.0.0.1 -j DROP # Log all other blocked packets, and change DROP to REJECT to be # polite and allow people connecting to a blocked port to receive a # "connection refused" message instead of timing out after 30 seconds. iptables -A INPUT -j LOG iptables -A INPUT -j REJECT } stop_firewall() { iptables --flush iptables -t nat --flush iptables -t mangle --flush iptables --policy INPUT ACCEPT iptables --policy OUTPUT ACCEPT } case "$1" in start) echo -n "Starting firewall:" start_firewall echo " done." ;; stop) echo -n "Stopping firewall:" stop_firewall echo " done." ;; restart) $0 stop && $0 start ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 ;; esac
Now we need to make it executable and set it to start on boot
chmod +x /etc/init.d/firewall update-rc.d firewall defaults
All you need is to do is choose your interfaces you want the simple firewall to apply, and choose which ports you want to open.
iptables project: http://netfilter.org/projects/iptables/index.html
Thank you for such a nice tutorial.
I just wrote a different kind of tutorial on how to set up Arno IPTABLES firewall.
May be it may help someone to setup his own firewall based on IPTABLES.
You can find some examples for a mail server and for a Proxy server using SNAT and port forwarding.
The location of my tutorial is here:
http://cosmolinux.no-ip.org/raconetlinux2/arno_iptables_firewall.html
I wish it is useful to someone.