Monday March 14, 2005 at 13:23
Subject: The Simple Firewall
Keywords:
Firewall, iptables, netfilter, Tech
Posted by: Kevin Fenzi
With any modern Linux distribution (one using the netfilter/iptables firewall modules),
you can setup a quite effective and simple firewall in a few seconds that will protect
your machine from outside interference and let you go about your business. Read on
for the simple 3 or 4 line iptables firewall.
Here's what you need to type as root on your machine:
(Post Reply)
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -j LOG (optional rule)
/sbin/iptables -A INPUT -j REJECTThis assumes you have no firewall loaded. If you do, you might do a:
/sbin/service iptables stopfirst. You can then do a:
/sbin/service iptables saveto save your firewall. The first rule simply says that iptables should check against connections that you have established going out of your machine and if this packet is related it should be accepted. This allows you to make all your regular connections going out. The second rule (option) lets you log all the packets that didn't match that first rule. That is, they are not related to any established connection you have made. Note that on a busy network that will generate a lot of log messages. The final rule simply says to reject everything else.
(Post Reply)
| Comment |
Charles Subject: Quick firewall... |
This will also cut off access to CUPS & Webmin... For example: On the machine that one used the quick firewall, one had CUPS and Wemin running. Run the quick firewall additions... BING! Use the same machine to access CUPS and Webmin... and no joy. :-)
Charles
| Comment |
Author:
kevin Subject: additional rule |
This will also cut off access to CUPS & Webmin... For example: On the machine that one used the quick firewall, one had CUPS and Wemin running. Run the quick firewall additions... BING! Use the same machine to access CUPS and Webmin... and no joy. :-)
Yeah, for machines where you have services you need to access by going to a localhost address, you will need to add a:
iptables -A INPUT -i lo -j ACCEPT
to the top.
| Comment |
Charles Subject: Simple FIrewall |
Kevin:
Thanks for spurring me on to learn about iptables!!! :-) So many things to learn... I do not think the following is a good idea: iptables -A INPUT -i lo -j ACCEPT That has the effect of opening up the system totally. When I load the rule above, this the output from a service iptables status ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 I don't think allowing anything from anywhere was the intended effect. What I did was put in a rule like following: iptables -I 2 INPUT -s 127.0.0.1 -j ACCEPT which gives the following output with a service iptables status ACCEPT all -- 127.0.0.1 0.0.0.0/0 Thanks for your time.
Charles
Thanks for spurring me on to learn about iptables!!! :-) So many things to learn... I do not think the following is a good idea: iptables -A INPUT -i lo -j ACCEPT That has the effect of opening up the system totally. When I load the rule above, this the output from a service iptables status ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 I don't think allowing anything from anywhere was the intended effect. What I did was put in a rule like following: iptables -I 2 INPUT -s 127.0.0.1 -j ACCEPT which gives the following output with a service iptables status ACCEPT all -- 127.0.0.1 0.0.0.0/0 Thanks for your time.
Charles
| Comment |
Author:
kevin Subject: iptables status misleading |
Thanks for spurring me on to learn about iptables!!! :-) So many things to learn...
Yeah, iptables is great! :)
I do not think the following is a good idea:
iptables -A INPUT -i lo -j ACCEPT
That has the effect of opening up the system totally. When I load the rule above, this the output from a service iptables status
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Ah, I can see how it would look that way. By default the status doesn't show things like interfaces or the like. It's not really open to everything, only packets coming in (-i) on interface lo.
If you do:
iptables -L -n -v -x
it will show you the interfaces involved, as well as giving you a exact packet count. You can then test and see what rules packets matched on.The rule above really only opens to packets coming in the loop back interface, not all packets.