townx - Simple firewall for Ubuntu using iptables - Comments

My example got formatted

Guest — Fri, 05 Mar 2010 22:55:14 -0600

My example got formatted queerly. The 1's are actually script comments. Cheers!

This worked perfectly for my

Guest — Fri, 05 Mar 2010 22:51:27 -0600

This worked perfectly for my needs. Thanks!

For those who want to ACCEPT specific ports for services like HTTPD, be sure to put those rules before the DROP rules. I fiddled with this for an hour before I figured out that the first rule that matches is the one that gets applied.

eg.

Allow specific TCP inputs
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT # ssh
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT # http

iptables -A INPUT -i eth1 -p tcp --dport 3306 -s 10.176.84.219 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 3306 -s 10.176.85.10 -j ACCEPT

drop everything else
iptables -A INPUT -i eth+ -p udp -j DROP
iptables -A INPUT -i eth+ -p tcp -m tcp --syn -j DROP

I was once try out the

WeightLoss Coach — Sat, 07 Feb 2009 10:39:14 -0600

I was once try out the ubuntu, but end up keep getting error on the eth0, in which I think it is related to the network card that I have. I try your script which I thought it got something to do with my error, but still fail. Would a firewall cause my eth0(network card) to have such error? I've tried changed few cards which is still the same.

firewall init.d script

Guest — Mon, 05 Jan 2009 16:57:46 -0600

if you change the POLICIES to DROP and run the init.d script with anything other than a "start" argument, you will flush your rules, but since the policy is DROP , you will not be able to access

Thanks. That does look like

elliot — Tue, 21 Oct 2008 13:26:59 -0500

Thanks. That does look like an improvement. Like I said in the post, I'm not really an iptables expert!

Ooops! Forgot the LocalHost...

Lifenstein — Sun, 19 Oct 2008 18:03:15 -0500

iptables -A INPUT -i lo -j ACCEPT

Simpler Alternative (?)

Lifenstein — Sun, 19 Oct 2008 17:48:21 -0500

For a personal home computer (running no services for the outside world), here is a simpler version :

#!/bin/bash
############################################################
#---- Script to setup a simple firewall using iptables -----
###
# * Blocks all incoming connections, except those opened by
# me, or related to already open connections
# * Blocks all forward requests
# * Allows all outgoing connections
###
############################################################

# Clearing all previous rules
iptables -F
# Setting Default Policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Allowing already-established and related-incoming connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Only if you're running a web

elliot — Sat, 02 Aug 2008 15:40:41 -0500

Only if you're running a web server :)

firewall

Guest — Thu, 08 May 2008 03:01:53 -0500

Hi,
Great script - I've used it as the starter for my setup.

ShieldsUP notes that your script shows ports 0 and 1 as closed rather than in stealth mode, and also doesn't drop ICMP packets - meaning that if the machines are directly attached to the internet via ppp, or with an ADSL modem with no firewall, then they can be discovered.

Also your script doesn't handle dialup connections.

The following changes mitigates against these:

drop everything else on ppp
iptables -A INPUT -i ppp+ -p udp -j DROP
iptables -A INPUT -i ppp+ -p tcp -m tcp --syn -j DROP
iptables -A INPUT -i ppp+ -p icmp -j DROP
Explcitly deal with port 0
iptables -A INPUT -j DROP -p tcp --sport 0
iptables -A INPUT -j DROP -p udp --sport 0
iptables -A INPUT -j DROP -p tcp --dport 0
iptables -A INPUT -j DROP -p udp --dport 0
Explcitly deal with port 1
iptables -A INPUT -j DROP -p tcp --sport 1
iptables -A INPUT -j DROP -p udp --sport 1
iptables -A INPUT -j DROP -p tcp --dport 1
iptables -A INPUT -j DROP -p udp --dport 1

regards

Colin

Thx ;)

Prakash — Wed, 30 Apr 2008 18:18:12 -0500

thanks!though iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT is needed!

What, the ports became

elliot — Sun, 18 Nov 2007 18:07:54 -0600

What, the ports became unavailable? Or the services stopped running? When you stopped the firewall? If you set it up as above, stopping the firewall shouldn't touch other services, and should definitely not block them.

shit

alex rose — Sun, 18 Nov 2007 11:09:12 -0600

when i typed /etc/init.d/firewall stop ssh, apache gone away .. :(
why ?

Thanks for that, Roy. I've

elliot — Tue, 02 Oct 2007 13:20:28 -0500

Thanks for that, Roy. I've used some of the GUIs before, but the simple ones can't cope with the scenario outlined in the article. While fwbuilder probably could, I like the simplicity of my script, and have used it succesfully without touching it for about 3 years. I'm very happy with it.

Great, glad it was helpful.

elliot — Tue, 02 Oct 2007 13:19:19 -0500

Great, glad it was helpful.

short and sweet, works as

Reid — Mon, 01 Oct 2007 22:57:55 -0500

short and sweet, works as advertised! happy customer here.

Simple firewall for Ubuntu using iptables

elliot — Wed, 05 Apr 2006 09:36:10 -0500

Linux's built-in firewall iptables is very useful, but pretty hard to configure. I used to use lokkit, but this caused problems when moving between different networks. I was also having problems with the network configuration tools in Ubuntu, which work but aren't automatic enough for me. And I wanted to be able to switch the firewall and the network configuration simultaneously.

In the end, I bit the bullet and worked out how to write a simple iptables script. Here it is:

#!/bin/bash
# flush all chains
iptables -F
# set the default policy for each of the pre-defined chains
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# allow establishment of connections initialised by my outgoing packets
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# drop everything else
iptables -A INPUT -i eth+ -p udp -j DROP
iptables -A INPUT -i eth+ -p tcp -m tcp --syn -j DROP
# accept anything on localhost
iptables -A INPUT -i lo -j ACCEPT

I have network interfaces on eth0 and eth1, so this script has rules which cover both; if your interfaces have different names, you will need to edit the rules to cover that. This drops everything incoming, except for connections which were initially established by my outgoing packets (thanks Luke! - see comments); which means it's no good for servers.

I put this script in /opt/scripts/iptables.script and made it executable. Once you run it, you can find out whether it has worked by displaying your current iptables rules with:

sudo iptables -L -v

I then created a simple init script to start/stop the firewall (in /etc/init.d/firewall):

#!/bin/bash
if [[ $1 == start ]] ; then
  sudo /opt/scripts/iptables.script
else
  sudo iptables -F
fi

Then I symlinked this into my /etc/rc.* directories using the update-rc.d tool, so the firewall starts before the network comes up:

update-rc.d firewall start 20 2 3 4 5 . stop 99 0 1 6 .

I find having this script helps me a lot. I have it integrated with a start/stop script with my network, so I can easily switch network and firewall configuration from the command line.