Linux kernels v2.4 and greater come with the Netfilter (IPTables) stateful firewall (and network address transation) utility:
The documents pointed to by these links contain many IPTables recipes which it would be pointless to copy here. Their perusal is strongly recommended.Here is a simple shell script which will initialise an iptables-based firewall and can be trivially-modified for most machines and then saved (in a distro-dependent manner) for use with init scripts:
#!/bin/sh # -- where's the iptables binary? IPT="/sbin/iptables" # -- to start with, clean out the bath : for i in filter nat mangle do $IPT -t $i -F $IPT -t $i -X done
# -- if its related to something that's already started, allow it : $IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -t filter -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT # -- let me talk to myself : $IPT -t filter -A INPUT -s 192.168.1.2 -j ACCEPT $IPT -t filter -A INPUT -s 127.0.0.1 -j ACCEPT
# -- udp : $IPT -t filter -A INPUT -p udp -j DROP # -- icmp (ping, for example) : $IPT -t filter -A INPUT -p icmp -j DROP
# -- if it's one of us, that's ok : $IPT -t filter -A INPUT -s 192.168.1.3 -m state --state NEW -j ACCEPT # -- me $IPT -t filter -A INPUT -s 192.168.1.123 -m state --state NEW -j ACCEPT # -- trusted friend $IPT -t filter -A INPUT -s 130.88.99.10 -m state --state NEW -j ACCEPT # -- cosmos
# -- every other (new) connection can go in the bin : $IPT -t filter -A INPUT -m state --state NEW -j DROP # -- default policies : $IPT -t filter -P INPUT DROP $IPT -t filter -P OUTPUT ACCEPT $IPT -t filter -P FORWARD DROP
Configuration of Netfilter IPTables depends on your distribution.
On a RedHat box, either tweak any firewall built as part of the installation process by editing the rules within /etc/sysconfig/iptables and then restart by using the supplied init script
/etc/init.d/iptables restartor use a script similar to that above to build a firewall then save (to /etc/sysconfig/iptables) with /etc/init.d/iptables save.
/etc/sysconfig/iptables is actually a Gnome Lokkit file. (Lokkit is a utility that provides a firewall configuration based on a small number of simple questions. It is designed for "the average" Linux user.)
Things are someone different (superior!) on Debian boxes. Pertinant files are:
/etc/init.d/iptables # init script /etc/default/iptables # iptables config /var/lib/iptables/<ruleset-name> # saved rule setsThe procedure is as follows:
iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -X /etc/init.d/iptables save inactive # # ...used by "/etc/init.d/iptables stop"
/etc/init.d/iptables save active # # ...used by "/etc/init.d/iptables start"
Additional rule-sets can easily be saved and loaded, e.g., after initialisation with a further script:
/etc/init.d/iptables save edward /etc/init.d/iptables save edward.v2 /etc/init.d/iptables load edward.v2
...previous | up (conts) | next... |