Wiki

User Tools

Site Tools

Trace:
iptables:basic_firewall

This is an old revision of the document!

Table of Contents

IPTables - Basic Firewall

Verify the IPTables package is installed

dpkg --list | grep iptables

Returns 

ii  iptables                            1.6.0-2ubuntu3                      amd64        administration tools for packet filtering and NAT

Verify the Kernel Module is loaded

lsmod | grep ip_tables

Returns 

ip_tables              24576  4 iptable_filter,iptable_mangle,iptable_nat,iptable_raw

Creating iptables rules

iptables -P INPUT DROP
iptables -P OUTPUT DROP
 
# Allowing Loopback Traffic.
iptables -I INPUT -i lo -j ACCEPT
 
# Allow established connections.
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
# Allow SSH access.
# iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.2 -j ACCEPT
 
 
# Enable Web.
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 -j ACCEPT
 
 
# Enable FTP.
# iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# iptables -A INPUT -p tcp --dport 20 -j ACCEPT
 
 
# To block an IP range.
iptables -I INPUT 3 -s 192.168.123.0/24 -j DROP

Enable kernel modules

To have FTP work correctly with iptables, ensure that the ip_conntrack_ftp module is loaded. 

modprobe ip_conntrack_ftp

Check that the module is loaded 

lsmod | grep conntrack

Returns 

nf_conntrack_ftp       20480  1 nf_nat_ftp
nf_conntrack_ipv4      16384  84
nf_defrag_ipv4         16384  1 nf_conntrack_ipv4
xt_conntrack           16384  81
nf_conntrack          106496  9 nf_nat_ftp,nf_nat,xt_state,xt_connlimit,nf_nat_ipv4,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4
x_tables               36864  25 xt_pkttype,ip6table_filter,ip6table_mangle,xt_length,xt_comment,xt_CHECKSUM,xt_recent,ip_tables,xt_tcpudp,xt_string,ipt_MASQUERADE,xt_limit,xt_state,xt_connlimit,xt_conntrack,xt_LOG,xt_nat,xt_multiport,iptable_filter,ebtables,ipt_REJECT,iptable_mangle,ip6_tables,xt_addrtype,iptable_raw

Setup an init script

/etc/init.d/firewall-sharewiz
#!/bin/bash
#
# Start and stop the Firewall.
# Modify the following settings as required:
 
### BEGIN INIT INFO
# Provides:          firewall-sharewiz
# Required-Start:    $network
# Required-Stop:
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
### END INIT INFO
 
 
IPTABLES=/sbin/iptables
NAME=firewall-sharewiz
 
 
opts="start stop restart reload status"
 
#if [[ $1 == start ]] ; then
 
case "$1" in
    start)
        /sharewiz/firewall/firewall.sh
;;
 
    stop)
        $IPTABLES --flush
        $IPTABLES -t nat --flush
        $IPTABLES -F -t mangle
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -P OUTPUT ACCEPT
        $IPTABLES -P FORWARD ACCEPT
        $IPTABLES -t nat -P POSTROUTING ACCEPT
        $IPTABLES -t nat -P PREROUTING ACCEPT
        $IPTABLES -t nat -P OUTPUT ACCEPT
;;
 
    restart|reload)
#        $0 stop
#        $0 start
 
        $IPTABLES --flush
        $IPTABLES -t nat --flush
        $IPTABLES -F -t mangle
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -P OUTPUT ACCEPT
        $IPTABLES -P FORWARD ACCEPT
        $IPTABLES -t nat -P POSTROUTING ACCEPT
        $IPTABLES -t nat -P PREROUTING ACCEPT
        $IPTABLES -t nat -P OUTPUT ACCEPT
 
        /sharewiz/firewall/firewall.sh
;;
 
 
    status)
        $IPTABLES --list
        $IPTABLES -t nat --list
        $IPTABLES -t mangle --list
;;
 
 
    *)
        echo "Usage: /etc/init.d/$NAME {start|stop|restart|reload|status}" >&2
        exit 1
;;
 
 
 
esac
 
exit 0·

Set permissions 

chmod 755 /etc/init.d/firewall-sharewiz
iptables/basic_firewall.1476991370.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki