Basic and simple iptables configurations for home users

OpenBSD has been always my prefered distribution when I have to install a firewall based on a *NIX machine. The PF rules are what I am used to see. But last year I had to write several configurations for a debian machine using iptables which I am not really used to. Since I tend to forget these things, I paste here a basic configuration, if you want to use it, paste this in your desired starting script.

Please notice that these iptables scripts are intended to setup a FIREWALL that is in the middle of the traffic. If you want to use this rules for the machines that give the services change the FORWARD rules by INPUT

Configuration #1: Basic firewall accepting web, ssh and ftp

This configuration should be put in a machine between the machines that provide those services (WEB, SSH, FTP) and the Internet

# DELETE tables
iptables -F
iptables -X

# default policies (Deny by default)
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Accept loopback
iptables -A INPUT -i lo -j ACCEPT

# Keep State for already stablished traffic
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allowed services (web,ssh,ftp,icmp). # Note that we FORWARD paquets, this means that the services are not in the current machine. iptables -A FORWARD -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -p tcp --dport 22 -j ACCEPT iptables -A FORWARD -p tcp --dport 21 -j ACCEPT iptables -A FORWARD -p icmp -j ACCEPT
#Pings to firewall: iptables -A INPUT -p icmp -j ACCEPT

Configuration 2: Only pings to firewall

#delete tables
iptables -F
iptables -X

#default policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

#Keep State for already stablished traffic
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#Pings to firewall:
iptables -A INPUT -p icmp -j ACCEPT

Configuration 3: Scripts for the machine that runs the services

This script is for the machines that run the services, not for a firewall in between. Note that the services have an INPUT instead of a FORWARD

# delete tables
iptables -F
iptables -X

# default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Accept loopback
iptables -A INPUT -i lo -j ACCEPT

# Keep State for already stablished traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allowed services (ssh,web):
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

#Pings to machine:
iptables -A INPUT -p icmp -j ACCEPT