Server Firewall

The Linux Firewall is very advanced and can protect a single machine or an entire network. These examples start off by protecting a Server with very restricted access. Then a demonstration of a Workstation type of configuration. The third example shows a firewall that is protecting an entire Network.

Server Firewall

This configuration is a simple firewall for a server. It blocks everything by default but allows for sane access to provided services (SSH, HTTP and DNS) No changes are made to the FORWARD table as we're not a router and the OUTPUT table shouldn't block anything.

# Accept These First
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow my DNS server to talk to me
iptables -A INPUT -s $DNS_HOST_1 -i eth0 -p udp -m udp --sport 53 -j ACCEPT
iptables -A INPUT -s $DNS_HOST_2 -i eth0 -p udp -m udp --sport 53 -j ACCEPT
# Accept SSH
iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
# Accept HTTP & HTTPS
iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT
# This means I'll accept a DNS query from anyone!
iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
# Do you want to allow ICMP ping and other such?
iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
# DROP everything else
iptables -P INPUT DROP

Web-Server Firewall

This allow traffic to/from the localhost, special case for TCP and UDP traffic, rejects everything else.

# Generated by iptables-save
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:tcp_new - [0:0]
:udp_all - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 -m state --state NEW -j tcp_new
-A INPUT -p udp -j udp_all
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A tcp_new -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_new -p tcp -m tcp --dport 80 -j ACCEPT
-A tcp_new -p tcp -m tcp --dport 443 -j ACCEPT
-A udp_all -p udp -m udp --dport 53 -j ACCEPT
COMMIT

Gateway/Router iptables Rules

These rules would typically be found on a Linux firewall/gateway/router type device, with some DNAT/Masquerade rules.

If you'll be using things like FTP, SIP or IRC we should load in the necessary kernel modules.

~ # modprobe nf_conntrack_ftp
~ # modprobe nf_conntrack_sip
~ # modprobe nf_conntrack_irc

Setup of IP Tables to protect your network. Assuming that you have two adapters, one external(eth1), one internal (eth0) First Setup your IP configuration of your internet adapter


You must have IP Forwarding enabled:
echo 1 > /proc/sys/net/ipv4/ip_forward
To disable
echo 0 > /proc/sys/net/ipv4/ip_forward
To make this setup permanent you should edit /etc/sysctl.conf
add or update the entry to
  net.ipv4.ip_forward = 1

Now with that done you must load all of the necessary kernel modules
use the following commands to load the necessary stuff
; Add iptables base
insmod iptables
; Add iptables firewall/filter
insmod iptable_filter
; Connection tracking for NAT, don't use if you don't need
insmod ip_conntrack
insmod iptable_nat
; For PASV ftp through your firewall
insmod ip_conntrack_ftp
insmod ip_nat_ftp

; this cleans out all the junk from iptbles
iptables -F
iptables -X
iptables -Z

# Start Building our rules
echo \* Setting Loopback rules
# Loopback rule...allow everything on lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Setup our NAT rules
echo \* Setting NAT rules
# iptables -t filter -A FORWARD -j localrules
# The 10.0.0.0 network
iptables -t nat -A POSTROUTING -o eth1 -s 10.0.0.0/24 -d 0/0 -j MASQUERADE
# The 192.168.1.0 network
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d 0/0 -j MASQUERADE

# Setup external interface rules
echo \* Setting external rules
# Allow SSH
iptables -t filter -A INPUT -i eth1 -m tcp -p tcp --dport 22 -j ACCEPT
# Allow established or releated connections (ftp, etc)
iptables -t filter -A INPUT -i eth1 -p tcp -m state --state ESTABLISHED, \
  RELATED -j ACCEPT
# Drop all new incoming packets here (request to connect)
iptables -t filter -A INPUT -i eth1 -m state --state NEW -j DROP

Modifying iptables rules after running
; Adds rule 2 as accepting port 110
iptables -t filter -I INPUT 2 -i eth1 -m tcp -p tcp --dport 110 -j ACCEPT

This shell command will list the iptables settings
iptables -t filter -L
iptables -t nat -L

NAT Inbound Port Forwarding

Simple port-forwards can be written as follows.

iptables -A INPUT -p tcp -m state --state NEW,RELATED --dport 80 -i eth0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 --dport 80 -j DNAT --to 192.168.1.2:80

Many times the single IP on the outside of a NAT firewall will be required to expose mulitiple internal services, some of which may have conflicting port requirements. In this case the External Port can be mapped to a different internal port. Here we show the External Port for Gopher (70) being redirected to the internal port of HTTP (80)

iptables -A INPUT -p tcp -m state --state NEW,RELATED --dport 70 -i eth0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 70 -j DNAT --to 192.168.1.3:80