Basic and simple iptables configurations for home users
OpenBSD has been always my prefered distribution when I have to install a firewall based on a *NIX machine. The PF rules are what I am used to see. But last year I had to write several configurations for a debian machine using iptables which I am not really used to. Since I tend to forget these things, I paste here a basic configuration, if you want to use it, paste this in your desired starting script.
Please notice that these iptables scripts are intended to setup a FIREWALL that is in the middle of the traffic. If you want to use this rules for the machines that give the services change the FORWARD rules by INPUT
Configuration #1: Basic firewall accepting web, ssh and ftp
This configuration should be put in a machine between the machines that provide those services (WEB, SSH, FTP) and the Internet
# DELETE tables iptables -F iptables -X # default policies (Deny by default) iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # Accept loopback iptables -A INPUT -i lo -j ACCEPT # Keep State for already stablished traffic iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allowed services (web,ssh,ftp,icmp). # Note that we FORWARD paquets, this means that the services are not in the current machine. iptables -A FORWARD -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -p tcp --dport 22 -j ACCEPT iptables -A FORWARD -p tcp --dport 21 -j ACCEPT iptables -A FORWARD -p icmp -j ACCEPT
#Pings to firewall: iptables -A INPUT -p icmp -j ACCEPT
Configuration 2: Only pings to firewall
#delete tables iptables -F iptables -X #default policies iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP #Keep State for already stablished traffic iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #Pings to firewall: iptables -A INPUT -p icmp -j ACCEPT
Configuration 3: Scripts for the machine that runs the services
This script is for the machines that run the services, not for a firewall in between. Note that the services have an INPUT instead of a FORWARD
# delete tables iptables -F iptables -X # default policies iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # Accept loopback iptables -A INPUT -i lo -j ACCEPT # Keep State for already stablished traffic iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allowed services (ssh,web): iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT #Pings to machine: iptables -A INPUT -p icmp -j ACCEPT