Home > Uncategorized > Build a Simple iptables Firewall

Build a Simple iptables Firewall

Simple iptables Firewall
This simple firewall is OK for a desktop system so that you can use it and then modify it later and in the process learn iptables. The script will work with basically any Linux distro and of course you must make all modifications as root. Be sure to test your set up before you depend upon it.

Create the script with a text editor and save it in /etc/rc.d/rc.firewall . Change the permissions so that it is executable:
chmod 755 /etc/rc.d/rc.firewall

One modification you must make is to place the IP Address of the DNS server you want to use and replace:
your_dns_server_ip

Here is the script:
#!/bin/sh
#
# Simple firewall placed in /etc/rc.d/rc.firewall
# chmod 755 /etc/rc.d/rc.firewall
#

iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp -s your_dns_server_ip –sport 53 -j ACCEPT
iptables -A INPUT -p tcp –syn -j REJECT
iptables -A INPUT -p udp -j REJECT

Explanation of the Script:
This script will clean out all previous rules when it starts and will provide you security in that it will not allow any computer to initiate a connection to your box. This is the line that shows no –syn connections.
iptables -A INPUT -p tcp –syn -j REJECT

That way you have a simple firewall and you can add to it later.

If you want the script to start automatically on boot edit your /etc/rc.local file and add the line:
sh /etc/rc.d/rc.firewall

Here is an example of rc.local.

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will “exit 0″ on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh /etc/rc.d/rc.firewall
exit 0

About these ads
  1. lol
    December 9, 2008 at 2:50 am

    pretty confusing

  2. anders
    May 13, 2009 at 2:48 pm

    You should ALWAYS have policy REJECT and NEVER have policy ACCEPT.

    That is base facts when you create a firewall. That is becouse you should specify WHAT to accept. If you make a mistake with policy REJECT, you will prob. notice it and make the firewall work.
    With policy ACCEPT, you can as well remove the firewall all together, as it depends on you closing all ports that you are not shore is safe (which is most of them).

    # So always start with remove all old rules
    iptables -F
    # Remove all non-standarde user chains
    iptables -X
    # Set policy to REJECT
    iptables -P INPUT REJECT
    iptables -P OUTPUT REJECT
    iptables -P FORWARD REJECT
    # If we do not want to be a router, we do not need to change FORWARD filter in table filer
    # ALWAYS allow send to loopback end recive from loopback
    iptables -t filter -A INPUT -i lo -j ALLOW
    iptables -t filter -A OUTPUT -i lo -j ALLOW
    # Now, we can assume that we can send all in this simple example
    iptables -t filter -A OUTPUT -j ALLOW
    # But we only allow ssh into our machine
    iptables -t filter -A INPUT -sport 22 -j ALLOW
    # etc

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 57 other followers

%d bloggers like this: