Basic Firewall with iptables

Discussion in 'Linux Security' started by steelmanronald06, Nov 17, 2011.

  1. steelmanronald06

    steelmanronald06 Administrator Staff Member Staff Writer

    Messages:
    32
    Likes Received:
    12
    Trophy Points:
    8
    This how-to is about making a basic firewall.


    1. You will need root priviledges (one way to become root is to run the command su from a terminal and then type the root password).

    Now, open the file /etc/rc.d/rc.local in a text editor. Add the text /etc/rc.d/rc.firewall on a new line at the end of the file. Save the file.
    Note that this entry makes the firewall start on your computer at boot. If you want to disable the firewall, just remove or comment this line (put a # at the start of the line).

    2. Now create a new file called rc.firewall in the /etc/rc.d directory and put the text below
    Code:
    #!/bin/sh
    
    
    #Change the part after the = to the where you IPTABLES is on your system
    IPTABLES=/sbin/iptables
    
    #flush existing rules
    $IPTABLES -F INPUT
    
    #This allows all data that has been sent out for the computer running the firewall
    # to come back 
    #(for all of ICMP/TCP/UDP).
    #For example, if a ping request is made it will allow the reply back
    $IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
    $IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
    $IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
    
    
    #Allow traffic from ethernet adapter eth1 to pass through if 
    #you have a network, or 
    #as using linux as a router for internet etc. 
    #Your first ethernet card is eth0 and the second would be eth1 etc. 
    #$IPTABLES -A INPUT -i eth1 -j ACCEPT
    
    
    #Allow incoming FTP requests
    #$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
    #$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
    
    #Allow incoming SSH requests
    $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
    
    #Allow incoming HTTP requests (to Web server)
    #$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
    
    
    #Allow Ping echo
    #I have commented this line, so ping from an outside machine will not work.
    #Uncomment the next line to make ping from outside work.
    #$IPTABLES -A INPUT -p icmp -j ACCEPT
    
    
    #Drop and log all other data
    #The logging is set so if more than 5 packets are dropped in 
    #three seconds they will be ignored. This helps to prevent a DOS attack
    #Crashing the computer the firewall is running on 
    $IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
    $IPTABLES -A INPUT -i ! lo -j DROP
    
    #The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog

    Save the file.

    Note
    Note that every line that starts with a # is only a comment.


    3. Run the command chmod 755 /etc/rc.d/rc.firewall to make the script executable.

    4. Run the command /etc/rc.d/rc.firewall to start the firewall.

    Remember this firewall is by no means perfect, but it does provide a basic level of protection and make you "stealthed". (Stealthed means that your computer is invisible to most kinds of tests, but again this is not perfect)
    Rob likes this.
  2. MustangV10

    MustangV10 New Member

    Messages:
    87
    Likes Received:
    3
    Trophy Points:
    0
    Personally I use CSF, which I find great for a free firewall. Guess something like this is handy if you want to work from scratch, with no third party software.
    Rob likes this.
  3. TheMugenFox

    TheMugenFox New Member

    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    0
    Very nice tutorial. Thanks for sharing. I was looking for a way to make a firewall on my Mint system, and this looks perfect. Once again, thank you very much for sharing.
    Rob likes this.
  4. datacentersystems

    datacentersystems New Member

    Messages:
    1
    Likes Received:
    1
    Trophy Points:
    0
    Nicely done!
    Rob likes this.
  5. DaReaper

    DaReaper New Member

    Messages:
    184
    Likes Received:
    3
    Trophy Points:
    0
    Very nice! A basic level of protection is always better than not being protected in the first place. At present i use CSF & LFD and they're really performing well.

    But a couple of months ago when i was setting up a VPN i had to play around with IPtables and temporarily have CSF disabled to test the VPN's functionality.

    I figured that i had to set Pre and Post Routing rules as well as allow IPv4 Forwarding and the routing had to be done via IPtables which i found was very impressive.
  6. DarthVader3257

    DarthVader3257 New Member

    Messages:
    45
    Likes Received:
    2
    Trophy Points:
    0
    Firewall is really important when it comes to ensuring security for your computer, but I am still a bit iffy on the topic of iptables. What exactly is it? Is it some sort of firewall software? It is used to enhance the security?
  7. Darwin

    Darwin New Member

    Messages:
    115
    Likes Received:
    3
    Trophy Points:
    0
    Smart :) I need to complete some firewalls on a couple of machines so I will be taking a good look at this.
    Rob likes this.
  8. williamxaviers

    williamxaviers New Member

    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    0
    Seems a free tutorial and useful for many of the professionals. Even though, I never tried out to turn on the firewall by typing commands, as such I was in doubt that making the use of a "#" may not create any other request to run rather than that of firewall, as I am a slight weak in linux.

Share This Page