How To Configure IPTABLES Firewall

Most routers do sufficient work in stopping attacks and keeping the inside network resources getting into the hands of hackers and intruders. However a firewall is an extra layer of protectiveness.

Below are snippits of a script that I have used many times before (modifiying it as needed), I think it should be easy to follow and will give a good base line to start your firewall.

Flush Your Current Configuration

Its always best to start with a fresh start. The following command clears/flushes all rules that are currently in place. If you mess up and lock yourself out this will disable your firewall and allow you back in.

iptables -F

Set Default Policies

Now we set default rules to what you want to do, since this is a firewall we will want to drop all connections and not respond to them

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

Block An IP Address

If you find you are getting hit a lot by a certain IP address you can block them using...

iptables -A INPUT -s 123.456.789.123 -j DROP

Allow Services To Respond To Requests

Most linux users run ssh, so we need to allow those connections. Change the dport and sport values to whatever service you need to allow in (IE: http is port 80, https is port 443, rsync is 873, mysql 3306, email sending 25, email receive 143/110, etc etc etc)

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Allow Specific IP Address To Access Service

If you have a static ip at a clients you can specifically allow only that ip address to access your service

ptables -A INPUT -i eth0 -p tcp -s 123.456.789.123/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Allow Services To Connect

Sometimes its not just the incoming requests you have to look at but the outgoing as well. The following allows ssh to to connect outside your network. Like before you can change the dport and sport numbers to whatever port your service uses.

iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

One service that gets overlooked is DNS so make sure you allow DNS Lookups

iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

Restrict Outgoing Connections To Specific IP Addresses

If you will only be connecting to a specific list of ip addresses you can specify them and block all others.

iptables -A OUTPUT -o eth0 -p tcp -d 123.456.789.123/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Load Balancing

A neat feature of iptables is the ability to load blance web traffic. The following assumes your ip address 192.168.1.101 is running a https web server. The commands below will help with load balancing the web server

iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443

Allow Lookback Traffic

Some services need to talk to other services on the machine without having to go over network wiring. The following will allow loopback access

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Allow NIS Connections

NIS is a service that allows computers on a local network to see each other. If you have gone in a windows enviroment and looked at network neighbourhood and see other computers listed, thats the service that does this.

rpcinfo -p | grep ypbind ; This port is 853 and 850
iptables -A INPUT -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -p udp --dport 111 -j ACCEPT
iptables -A INPUT -p tcp --dport 853 -j ACCEPT
iptables -A INPUT -p udp --dport 853 -j ACCEPT
iptables -A INPUT -p tcp --dport 850 -j ACCEPT
iptables -A INPUT -p udp --dport 850 -j ACCEPT

Prevent DOS Attacks

DOS or denial of service attacks, basically make many connections to a server/service until the software running the service cant handle it any more and malfunctions shutting down that service. The following helps in protecting against that. This example protects http DOS attacks.

iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

Log Anything That Failed

The following commands log all dropped conenctions. This is very usefull in analyzing attacks as well as viewing configuration problems.

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP

Menu