Skip to content

Latest commit

 

History

History
59 lines (32 loc) · 1.72 KB

2.1-iptables.md

File metadata and controls

59 lines (32 loc) · 1.72 KB

2.1 Firewall (using iptables)

iptables is Linux's firewall. Install it the regular way:

sudo apt-get install iptables

Start adding rules (help here and here). Like this:

  1. Allow connections that are, well, ok:

     sudo iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
    
  2. Open a port that you want to be accessible from the outside. E.g. 80 for http, for example, or SSH (default 22).

     sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
     sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
    

    Add a line for each port you wish to open, change the port number or tcp/udp where needed.

  3. Optionally, allow ping:

     sudo iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    
  4. Block inbound traffic that is not allowed by any of your rules:

     sudo iptables -P INPUT DROP
    

When done adding rules, check the list in iptables:

sudo iptables -L

Save the rules to a test file:

sudo iptables-save > /etc/iptables.test.conf

Note how known ports such as 80 are shown as http, 443 as https, etc. Use iptables -L -n to get a 'normal' view without translated port numbers.

Happy? Save it for real (this and the previous file names are arbitrary, you can pick a different path):

iptables-save > /etc/iptables.up.conf

For the firewall to be useful, it should always run on boot. To start iptables on boot, create this file:

nano /etc/network/if-pre-up.d/iptables

And insert the following:

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.conf

Make it executable:

chmod +x /etc/network/if-pre-up.d/iptables

And you're done!