Setting and configuring a firewall
Matthew Harrington 
Newbie here. I've found the following rules to set a firewall, (from the book how Linux works)
iptables -P INPUT DROP # the default policy
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp '!' --syn -j ACCEPT # accepting incoming
connections from everywhere except those initiating a connection hence synSo far so good (or it seems to be). The trouble comes when I try to add a rule for DNS, here's what I have tried and didn't seem to get it right(one at a time):
INPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp --source-port 53 -s 127.0.1.1 -j ACCEPT
iptables -A INPUT -p udp --source-port 53 -j ACCEPTDesired result:Preventing any initialization of connections from outside (ssh, icmtp, ... ), enabling DNS lookup and web browsing (curl, wget, telnet ...), I don't think it is relevant that I may locally run a web server or a database server ...
Any help would be appreciated.
2 Answers
I suggest you create some Input rule that allows all established and related traffic like:
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTAlso you should always allow your loopback-device:
# Allow loopback interface to do anything. $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT
If your default output policy is accept, most problems should be gone. Otherwise you should also add:
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPTand open the ports for HTTP(s), DNS, ICMP or whatever you need.
4Allowing Established SessionsWe can allow established sessions to receive traffic:
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTIf the line above doesn't work, you may be on a castrated VPS whose provider has not made available the extension, in which case an inferior version can be used as last resort:
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTAllowing Incoming Traffic on Specific Ports
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPTBlocking Traffic
sudo iptables -A INPUT -j DROPEnabling loopback by editing iptables :
sudo iptables -I INPUT 1 -i lo -j ACCEPTLogging of unwanted traffic:
sudo iptables -I INPUT 4 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7To confirm that changes have been successfully made:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhereUse iptables -L -v to get more details :
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 0 0 LOG all -- any any anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " 0 0 DROP all -- any any anywhere anywhereEmpty iptables:
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -XSaving iptables
If you were to reboot your machine right now, your iptables configuration would disappear. Rather than type this each time you reboot, however, you can save the configuration, and have it start up automatically.
Save your firewall rules to a file
sudo sh -c "iptables-save > /etc/iptables.rules"The script /etc/network/if-pre-up.d/iptablesload will contain:
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0and /etc/network/if-post-down.d/iptablessave will contain:
#!/bin/sh
iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.downrules ]; then iptables-restore < /etc/iptables.downrules
fi
exit 0Then be sure to give both scripts execute permissions:
sudo chmod +x /etc/network/if-post-down.d/iptablessave
sudo chmod +x /etc/network/if-pre-up.d/iptablesload
