How To Set Up a Firewall Using Iptables

by

Setting up a good firewall is an essential step to take in securing any modern operating system. Most Linux distributions ship with a few different firewall tools that we can use to configure our firewalls. In this guide, we’ll be covering the iptables firewall.

A good starting point is check the current rules that are configured for iptables if there is any.

# iptables -L

Install Instructions

Add script to startup when network start up:

# nano -w /etc/network/interfaces

Add these:

pre-up `/etc/network/firewall pre-up`
up `/etc/network/firewall start`

Example added:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
#
# The loopback network interface
auto lo
iface lo inet loopback
#
# The primary network interface
auto eth0
iface eth0 inet static
    address 10.10.10.2
    netmask 255.255.255.0
    network 10.10.10.0
    broadcast 10.10.10.255
    gateway 10.10.10.1
    pre-up `/etc/network/firewall pre-up`
    up `/etc/network/firewall start`

Then you need firewall script, so:

touch /etc/network/firewall
chmod 750 /etc/network/firewall

Modify firewall script what you needed:

#/bin/sh

IP="10.10.10.2"
IF="eth0"

case "$1" in start)

# tiputetan kaikki
  iptables -F
  iptables -P INPUT   DROP
  iptables -P OUTPUT  DROP
  iptables -P FORWARD DROP

# sallitaan localhostissa liikenne molempiin suuntiin
  iptables -A INPUT  -i lo -j ACCEPT
  iptables -A OUTPUT -o lo -j ACCEPT

#----------------------------------------------#
# Outgoing connections                         #
#----------------------------------------------#

# DNS
  iptables -A OUTPUT -p udp --dport domain -j ACCEPT
  iptables -A OUTPUT -p tcp --dport domain -j ACCEPT

# NTP
  iptables -A OUTPUT -p udp --dport ntp -o $IF -j ACCEPT

# SSH / HTTP
  iptables -A OUTPUT -p tcp --dport ssh -o $IF -j ACCEPT
  iptables -A OUTPUT -p tcp --dport http -o $IF -j ACCEPT
  iptables -A OUTPUT -p tcp --dport https -o $IF -j ACCEPT

# SMTP
  iptables -A OUTPUT -p tcp -s $IP --dport 25 -o $IF -j ACCEPT

# ICMP
  iptables -A INPUT -p icmp --icmp-type 8 -d $IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  iptables -A OUTPUT -p icmp --icmp-type 0 -s $IP -m state --state ESTABLISHED,RELATED -j ACCEPT


#------------------------------------------------#
# Incoming connections                           #
#------------------------------------------------#

# Allow Established and Related Incoming/Outgoing Connections
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH
  iptables -A INPUT -p tcp -d $IP --dport 22 -i $IF -j ACCEPT

;; stop)
  iptables -F
  iptables -P INPUT   ACCEPT
  iptables -P OUTPUT  ACCEPT
  iptables -P FORWARD ACCEPT

;; restart)
  $0 stop ; $0 start

;; reload)
  $0 start

;; pre-up)
  iptables -F
  iptables -P INPUT   DROP
  iptables -P OUTPUT  DROP
  iptables -P FORWARD DROP
;;

*)
  echo "Usage: $0 {start|stop|restart|reload}" >&2
  exit 1
;;
esac

exit 0