Contents: Packet Filters, Firewalls and Router ACLsParticular Examples


About this document

3. Netfilter and iptables

Linux kernels v2.4 and greater come with the Netfilter (IPTables) stateful firewall (and network address transation) utility:

The documents pointed to by these links contain many IPTables recipes which it would be pointless to copy here. Their perusal is strongly recommended.

3.1. Example Firewall-Building Script

Here is a simple shell script which will initialise an iptables-based firewall and can be trivially-modified for most machines and then saved (in a distro-dependent manner) for use with init scripts:

#!/bin/sh

# -- where's the iptables binary?
IPT="/sbin/iptables"

# -- to start with, clean out the bath :
for i in filter nat mangle
do
    $IPT -t $i -F
    $IPT -t $i -X
done
# -- if its related to something that's already started, allow it :
$IPT -t filter -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A OUTPUT -m state --state NEW,ESTABLISHED     -j ACCEPT

# -- let me talk to myself :
$IPT -t filter -A INPUT -s 192.168.1.2 -j ACCEPT
$IPT -t filter -A INPUT -s 127.0.0.1 -j ACCEPT
# -- udp :
$IPT -t filter -A INPUT  -p udp -j DROP

# -- icmp (ping, for example) :
$IPT -t filter -A INPUT -p icmp -j DROP
# -- if it's one of us, that's ok :
$IPT -t filter -A INPUT -s 192.168.1.3   -m state --state NEW -j ACCEPT  # -- me
$IPT -t filter -A INPUT -s 192.168.1.123 -m state --state NEW -j ACCEPT  # -- trusted friend
$IPT -t filter -A INPUT -s 130.88.99.10 -m state --state NEW -j ACCEPT   # -- cosmos
# -- every other (new) connection can go in the bin :
$IPT -t filter -A INPUT -m state --state NEW -j DROP

# -- default policies :
$IPT -t filter -P INPUT DROP
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t filter -P FORWARD DROP

3.2. Init Scripts and Saving IPTables Configuration

Configuration of Netfilter IPTables depends on your distribution.

3.2.1. RedHat

On a RedHat box, either tweak any firewall built as part of the installation process by editing the rules within /etc/sysconfig/iptables and then restart by using the supplied init script

    /etc/init.d/iptables restart
or use a script similar to that above to build a firewall then save (to /etc/sysconfig/iptables) with /etc/init.d/iptables save.

/etc/sysconfig/iptables is actually a Gnome Lokkit file. (Lokkit is a utility that provides a firewall configuration based on a small number of simple questions. It is designed for "the average" Linux user.)

3.2.2. Debian

Things are someone different (superior!) on Debian boxes. Pertinant files are:

    /etc/init.d/iptables               # init script
    /etc/default/iptables              # iptables config
    /var/lib/iptables/<ruleset-name>   # saved rule sets
The procedure is as follows:
  1. Ensure the firewall is off and save this empty state:
            iptables -P INPUT ACCEPT
            iptables -P OUTPUT ACCEPT
            iptables -P FORWARD ACCEPT
            iptables -F
            iptables -X
            /etc/init.d/iptables save inactive
                #
                # ...used by "/etc/init.d/iptables stop"


  2. Set up a firewall via, a shell script like that given above

  3. Save this configuration as the default:
            /etc/init.d/iptables save active
                #
                # ...used by "/etc/init.d/iptables start"

Additional rule-sets can easily be saved and loaded, e.g., after initialisation with a further script:

    /etc/init.d/iptables save edward
    /etc/init.d/iptables save edward.v2
    /etc/init.d/iptables load edward.v2


...previousup (conts)next...