Example iptables firewallExample iptables firewall The following is an example iptables firewall that allows incoming ssh connections from an individual IP address (192.168.1.100), allows all outbound traffic, and uses stateful inspection. This iptables firewall is suited for a single-homed firewall with support for remote ssh administration. For personal use, you may not want egress (outbound) filtering of network traffic. Of course, a multi-homed corporate firewall should employ egress filtering as well as ingress (inbound) filtering. The script was developed based on information in Robert Ziegler's Linux Firewalls book. More information on iptables is available at http://www.linux-firewall-tools.com/linux/ #!/bin/sh # Kernel monitoring support # More information: # /usr/src/linux-`uname -r`/Documentation/networking/ip-sysctl.txt # http://www.linuxgazette.com/book/view/1645 # http://www.spirit.com/Network/net0300.html # Drop ICMP echo-request messages sent to broadcast or multicast addresses echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Drop source routed packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable TCP SYN cookie protection from SYN floods echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Don't accept ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Don't send ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Enable source address spoofing protection echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Log packets with impossible source addresses echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Flush all chains /sbin/iptables --flush # Allow unlimited traffic on the loopback interface /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT # Set default policies /sbin/iptables --policy INPUT DROP /sbin/iptables --policy OUTPUT DROP /sbin/iptables --policy FORWARD DROP # Previously initiated and accepted exchanges bypass rule checking # Allow unlimited outbound traffic /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Allow incoming TCP port 22 (ssh) traffic from office /sbin/iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -m state --state NEW -j ACCEPT # Drop all other traffic /sbin/iptables -A INPUT -j DROP # Have these rules take effect when iptables is started /sbin/service iptables save That is the end of the original script. If you want to make a syslog entry of dropped packets, change: # Drop all other traffic /sbin/iptables -A INPUT -j DROP To: # Create a LOGDROP chain to log and drop packets /sbin/iptables -N LOGDROP /sbin/iptables -A LOGDROP -j LOG /sbin/iptables -A LOGDROP -j DROP # Drop all other traffic /sbin/iptables -A INPUT -j LOGDROP You may also want to configure the --log-level to log dropped packets to a separate file instead of /var/log/messages: # Drop all other traffic /sbin/iptables -A INPUT -j LOGDROP --log-level debug /etc/syslog.conf change: # Send iptables LOGDROPs to /var/log/iptables kern.=debug /var/log/iptables Reload the syslogd service for the change to take effect. /sbin/service syslog reload If you do not want to allow incoming ssh, remove: # Allow port 22 (ssh) TCP traffic from office /sbin/iptables -A INPUT -p tcp -s 192.168.1.100/32 --dport 22 -m state --state NEW -j ACCEPT Back to brandonhutchinson.com. Last modified: 02/20/2004