Simple Stateful Firewall
Jump to navigation
Jump to search
Prerequisites
Most, if not all, GNU/Linux distributions ship a default kernel that has the netfilter module.
Required Packages
Most, if not all, GNU/Linux distributions have the iptables package/binary installed by default.
Configure IPTables
/etc/iptables/iptables.rules
# SIMPLE STATEFUL FIREWALL *filter # CONFIGURE DEFAULT CHAINS :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [100308:88697975] # ADD USER CHAINS :TCP - [0:0] :UDP - [0:0] # ALLOW ESTABLISHED CONNECTIONS, AND CONNECTIONS RELATED TO SUCH -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # ALLOW CONNECTIONS FROM LOCALHOST -A INPUT -i lo -j ACCEPT # DROP PACKETS THAT HAVE INVALID HEADERS, CHECKSUMS, TCP FLAGS, OR ICMP MESSAGE; AND PACKETS OUT OF SEQUENCE -A INPUT -m conntrack --ctstate INVALID -j DROP # ALLOW PINGS -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT # RESET CONNECTIONS THAT ARE NEW WITH NO CORRESPONDING SYN -A INPUT -p udp -m conntrack --ctstate NEW -j UDP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP # REJECT UDP STREAMS IF PORT IS NOT OPEN -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable # REJECT TCP CONNECTION IF PORT IS NOT OPEN -A INPUT -p tcp -j REJECT --reject-with tcp-reset # REJECT ALL OTHER TRAFFIC -A INPUT -j REJECT --reject-with icmp-proto-unreachable # OPEN NECESSARY PORTS HERE -A TCP -p tcp -m tcp --dport 22 -j ACCEPT -m comment --comment "ssh" -A TCP -p tcp -m tcp --dport 25 -j ACCEPT -m comment --comment "smtp" -A TCP -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "http" -A TCP -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "https" -A TCP -p tcp -m tcp --dport 465 -j ACCEPT -m comment --comment "smtps" -A TCP -p tcp -m tcp --dport 587 -j ACCEPT -m comment --comment "starttls" -A TCP -p tcp -m tcp --dport 873 -j ACCEPT -m comment --comment "rsync" -A TCP -p tcp -m tcp --dport 993 -j ACCEPT -m comment --comment "imaps" -A TCP -p tcp -m tcp --dport 995 -j ACCEPT -m comment --comment "pop3s" COMMIT
