Tuesday, November 22, 2011

Firewall configuration with iptables

Recently I had the seemingly "daunting" task of adding firewall rules through the iptables command. Here are some of my findings.

Basic Commands

To list your current firewall configuration use:



If you have no rules in your iptables you should see something like this:

To add a rule to a chain use:



To delete a rule on a chain use:



Make sure your firewall INPUT chain policy is set to ACCEPT not DROP.

Add some basic rules to the INPUT chain:



The above rules allow SSH, DNS, HTTP and HTTPS traffic. It also logs any requests that have not been satisfied by any of the rules to your syslog. We have also blocked all other traffic and ports.

List your iptable rules with:



Your iptables should look similar to this:



For some reason if I leave out the first rule, none of the others work. I presume this has to do with connections coming in on known ports but negotiating on to other ports once a connection is established.

The DROP policy for the INPUT chain drops all traffic to ports other than those specified in your rules. If there's no rule, it's not getting through.

Also of note is that rules are evaluated top-down with the first matching rule executed. Thus if you have a rule that drops traffic for a certain port followed by one that allows traffic for the same port, all traffic will be dropped.

Given the above, if you need to insert a rule at a particular line do so with the following:



Make sure you verify that all the programs you need are allowed through the firewall. If needed you can change the policy of the INPUT chain back to an ACCEPT policy like so:



One thing to note is that if you are some way locked out of your system due to the above rules, a simple reboot will remove all entries.

Save and Restoring Rules

As iptable rules are not saved and restored by default you need to it manually.

1. Save your current changes:


2. Create the file /etc/network/if-pre-up.d/iptablesload This will be run just before your network interfaces are brought up. Add the following:



make it executable with:



3. Create the file /etc/network/if-post-down.d/iptablessave. This will be run just after your network interfaces are brought down. Add the following:


make it executable with:


Now when you restart your machine your iptables will be saved and restored. You can have a look at the rules that are persisted by looking at the /etc/iptables.rules file:



Your /etc/iptable.rules file should look something like this:



Comments/suggestions are welcome. :)

Links: 1 2
Posted by sanj sahayam at 2:47 PM
Labels: , ,
Reactions: 

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)