You are here: start » sysadmin » iptables

Table of Contents

Simple ubuntu server firewall script

/etc/firewall/firewall

#!/bin/bash
# Link this in if-up.d
#  ln -s /etc/firewall/firewall /etc/network/if-up.d/firewall

FIREWALL=/etc/firewall/firewall.conf
DROPLIST=/etc/firewall/firewall_drop.conf

if [ -r "$FIREWALL" ]; then
        echo "Resetting newioit firewall"

        # Now read in the firwall from the config
        iptables-restore < "$FIREWALL"

        # Add list of addresses to be dropped 
        if [ -r "$DROPLIST" ]; then

                # Sort the file cause i can
                sort -o "$DROPLIST" -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 "$DROPLIST"

                # Read each IP/Net from droplist and add it to filter (Drop only)
                while read x; do
                        iptables -A DROPLIST -s "$x" -j DROP
                        ((DROPS++))
                done < "$DROPLIST"
                echo "Addresses in droplist: $DROPS"
        fi

        echo "Firewall configured"
fi

/etc/firewall/firewall.conf

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DROPLIST - [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# The droplist, leave this here even if not using it
-A INPUT -j DROPLIST

# SSH from anywhere, log attempts
-A INPUT -p tcp --dport 22 -m state --state NEW -j LOG
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# Mail from anywhere
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

# IMAP *removed
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT

# BIND from anywhere
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT

# Apache2 from anywhere
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

# Monitoring from home only
-A INPUT -s 124.170.224.117 -p udp -m state --state NEW -m udp --dport 161 -j ACCEPT
-A INPUT -s 124.170.224.117 -p tcp -m state --state NEW -m tcp --dport 36602 -j ACCEPT

# Be nice, use DROP if more stealth needed
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A INPUT -j DROP

COMMIT

/etc/firewall/firewall_drop.conf

[Add IP addresses or nets here]

A RHEL Template

Allow ssh from all

Allow telnet, http, samba from specific address 

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -s xxx.xxx.xxx.xxx -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -s xxx.xxx.xxx.xxx -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 137 -s xxx.xxx.xxx.xxx -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 138 -s xxx.xxx.xxx.xxx -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -s xxx.xxx.xxx.xxx -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -s xxx.xxx.xxx.xxx -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Log connections to port

iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j LOG

Block an IP's

iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
iptables -I OUTPUT -d xxx.xxx.xxx.xxx -j DROP

# Subnet
iptables -I INPUT -s xxx.xxx.xxx.0/24 -j DROP

Load Balancing

Every 3rd new packet to different web server 

iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443

Port Forwarding

The following example routes all traffic that comes to the port 442 to 22. 

iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22

NAT

eth1 is connected to external network (internet), and eth0 is connected to internal network (For example: 192.168.1.x). 

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

Block everything except ssh

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PeteWall-1-INPUT - [0:0]
-A INPUT -j PeteWall-1-INPUT
-A FORWARD -j PeteWall-1-INPUT
-A PeteWall-1-INPUT -i lo -j ACCEPT
-A PeteWall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A PeteWall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A PeteWall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#-A PeteWall-1-INPUT -j LOG --log-level 4
-A PeteWall-1-INPUT -j DROP
COMMIT

Trace: iptables

Print/export
QR Code
QR Code sysadmin:iptables (generated for current page)