Server Firewall
Server Firewall
The Linux Firewall is very advanced and can protect a single machine or an entire network. These examples start off by protecting a Server with very restricted access. Then a demonstration of a Workstation type of configuration. The third example shows a firewall that is protecting an entire Network.
Server Firewall
This configuration is a simple firewall for a server. It blocks everything by default but allows for sane access to provided services (SSH, HTTP and DNS) No changes are made to the FORWARD table as we're not a router and the OUTPUT table shouldn't block anything.
iptables -P INPUT DROP # Accept These First iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow my DNS server to talk to me iptables -A INPUT -s $DNS_HOST_1 -i eth0 -p udp -m udp --sport 53 -j ACCEPT iptables -A INPUT -s $DNS_HOST_2 -i eth0 -p udp -m udp --sport 53 -j ACCEPT # Accept SSH iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT # Accept HTTP & HTTPS iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT # This means I'll accept a DNS query from anyone! iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT # Do you want to allow ICMP ping and other such? iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT # DROP everything else iptables -P INPUT DROP
Workstation Firewall
Network Firewall
Setup of IP Tables to protect your network. Assuming that you have two adapters, one external(eth1), one internal (eth0) First Setup your IP configuration of your internet adapter You must have IP Forwarding enabled: echo 1 > /proc/sys/net/ipv4/ip_forward To disable echo 0 > /proc/sys/net/ipv4/ip_forward To make this setup permanent you should edit /etc/sysctl.conf add or update the entry to net.ipv4.ip_forward = 1 Now with that done you must load all of the necessary kernel modules use the following commands to load the necessary stuff ; Add iptables base insmod iptables ; Add iptables firewall/filter insmod iptable_filter ; Connection tracking for NAT, don't use if you don't need insmod ip_conntrack insmod iptable_nat ; For PASV ftp through your firewall insmod ip_conntrack_ftp insmod ip_nat_ftp ; this cleans out all the junk from iptbles iptables -F iptables -X iptables -Z # Start Building our rules echo \* Setting Loopback rules # Loopback rule...allow everything on lo iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Setup our NAT rules echo \* Setting NAT rules # iptables -t filter -A FORWARD -j localrules # The 10.0.0.0 network iptables -t nat -A POSTROUTING -o eth1 -s 10.0.0.0/24 -d 0/0 -j MASQUERADE # The 192.168.1.0 network iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d 0/0 -j MASQUERADE # Setup external interface rules echo \* Setting external rules # Allow SSH iptables -t filter -A INPUT -i eth1 -m tcp -p tcp --dport 22 -j ACCEPT # Allow established or releated connections (ftp, etc) iptables -t filter -A INPUT -i eth1 -p tcp -m state --state ESTABLISHED, \ RELATED -j ACCEPT # Drop all new incoming packets here (request to connect) iptables -t filter -A INPUT -i eth1 -m state --state NEW -j DROP Modifying iptables rules after running ; Adds rule 2 as accepting port 110 iptables -t filter -I INPUT 2 -i eth1 -m tcp -p tcp --dport 110 -j ACCEPT This shell command will list the iptables settings iptables -t filter -L iptables -t nat -L