townx - Simple firewall for Ubuntu using iptables - Comments

Thanks. That does look like

elliot — Tue, 21 Oct 2008 13:26:59 -0500

Thanks. That does look like an improvement. Like I said in the post, I'm not really an iptables expert!

Ooops! Forgot the LocalHost...

Lifenstein — Sun, 19 Oct 2008 18:03:15 -0500

iptables -A INPUT -i lo -j ACCEPT

Simpler Alternative (?)

Lifenstein — Sun, 19 Oct 2008 17:48:21 -0500

For a personal home computer (running no services for the outside world), here is a simpler version :

#!/bin/bash
############################################################
#---- Script to setup a simple firewall using iptables -----
###
# * Blocks all incoming connections, except those opened by
# me, or related to already open connections
# * Blocks all forward requests
# * Allows all outgoing connections
###
############################################################

# Clearing all previous rules
iptables -F
# Setting Default Policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Allowing already-established and related-incoming connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Only if you're running a web

elliot — Sat, 02 Aug 2008 15:40:41 -0500

Only if you're running a web server :)

firewall

Guest — Thu, 08 May 2008 03:01:53 -0500

Hi,
Great script - I've used it as the starter for my setup.

ShieldsUP notes that your script shows ports 0 and 1 as closed rather than in stealth mode, and also doesn't drop ICMP packets - meaning that if the machines are directly attached to the internet via ppp, or with an ADSL modem with no firewall, then they can be discovered.

Also your script doesn't handle dialup connections.

The following changes mitigates against these:

drop everything else on ppp
iptables -A INPUT -i ppp+ -p udp -j DROP
iptables -A INPUT -i ppp+ -p tcp -m tcp --syn -j DROP
iptables -A INPUT -i ppp+ -p icmp -j DROP
Explcitly deal with port 0
iptables -A INPUT -j DROP -p tcp --sport 0
iptables -A INPUT -j DROP -p udp --sport 0
iptables -A INPUT -j DROP -p tcp --dport 0
iptables -A INPUT -j DROP -p udp --dport 0
Explcitly deal with port 1
iptables -A INPUT -j DROP -p tcp --sport 1
iptables -A INPUT -j DROP -p udp --sport 1
iptables -A INPUT -j DROP -p tcp --dport 1
iptables -A INPUT -j DROP -p udp --dport 1

regards

Colin

Thx ;)

Prakash — Wed, 30 Apr 2008 18:18:12 -0500

thanks!though iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT is needed!

What, the ports became

elliot — Sun, 18 Nov 2007 18:07:54 -0600

What, the ports became unavailable? Or the services stopped running? When you stopped the firewall? If you set it up as above, stopping the firewall shouldn't touch other services, and should definitely not block them.

shit

alex rose — Sun, 18 Nov 2007 11:09:12 -0600

when i typed /etc/init.d/firewall stop ssh, apache gone away .. :(
why ?

Thanks for that, Roy. I've

elliot — Tue, 02 Oct 2007 13:20:28 -0500

Thanks for that, Roy. I've used some of the GUIs before, but the simple ones can't cope with the scenario outlined in the article. While fwbuilder probably could, I like the simplicity of my script, and have used it succesfully without touching it for about 3 years. I'm very happy with it.

Great, glad it was helpful.

elliot — Tue, 02 Oct 2007 13:19:19 -0500

Great, glad it was helpful.

short and sweet, works as

Reid — Mon, 01 Oct 2007 22:57:55 -0500

short and sweet, works as advertised! happy customer here.

iptables

Guest — Fri, 14 Sep 2007 15:20:42 -0500

One of the most impressive tools for building iptables firewalls is fwbuilder at www.fwbuilder.org.
This fantastic GUI app writes the iptables for you in a way that is easy to read.

Really good for heavy weight firewalling.

Roy.

Thanks Michael. Glad to be

elliot — Thu, 06 Sep 2007 09:30:35 -0500

Thanks Michael. Glad to be of service.

So simple!

Michael — Sun, 26 Aug 2007 21:42:07 -0500

I've fooled with iptables off and on for a few years now. Never quite getting all the pieces right. Thanks for bringing it back down to Earth with a simple as pie approach to setting the rules and integrating with start up. It was good to learn a thing or two about update-rc.d. That was an interesting tool I hadn't seen before.

One note: Add your input accept rules (like port 80 for HTTP BEFORE you drop everything else). Took me a couple minutes to figure that one out, but otherwise, all else was smooth sailing.

--Michael

Very helpful. Thanks for

Guest — Thu, 21 Jun 2007 00:05:29 -0500

Very helpful. Thanks for posting.

Simple firewall for Ubuntu using iptables

elliot — Wed, 05 Apr 2006 09:36:10 -0500

Linux's built-in firewall iptables is very useful, but pretty hard to configure. I used to use lokkit, but this caused problems when moving between different networks. I was also having problems with the network configuration tools in Ubuntu, which work but aren't automatic enough for me. And I wanted to be able to switch the firewall and the network configuration simultaneously.

In the end, I bit the bullet and worked out how to write a simple iptables script. Here it is:

#!/bin/bash
# flush all chains
iptables -F
# set the default policy for each of the pre-defined chains
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# allow establishment of connections initialised by my outgoing packets
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# drop everything else
iptables -A INPUT -i eth+ -p udp -j DROP
iptables -A INPUT -i eth+ -p tcp -m tcp --syn -j DROP
# accept anything on localhost
iptables -A INPUT -i lo -j ACCEPT

I have network interfaces on eth0 and eth1, so this script has rules which cover both; if your interfaces have different names, you will need to edit the rules to cover that. This drops everything incoming, except for connections which were initially established by my outgoing packets (thanks Luke! - see comments); which means it's no good for servers.

I put this script in /opt/scripts/iptables.script and made it executable. Once you run it, you can find out whether it has worked by displaying your current iptables rules with:

sudo iptables -L -v

I then created a simple init script to start/stop the firewall (in /etc/init.d/firewall):

#!/bin/bash
if [[ $1 == start ]] ; then
  sudo /opt/scripts/iptables.script
else
  sudo iptables -F
fi

Then I symlinked this into my /etc/rc.* directories using the update-rc.d tool, so the firewall starts before the network comes up:

update-rc.d firewall start 20 2 3 4 5 . stop 99 0 1 6 .

I find having this script helps me a lot. I have it integrated with a start/stop script with my network, so I can easily switch network and firewall configuration from the command line.