From Wikiversity
[edit] Firewalls
- concepts:
- connection tracking;
- connection state;
- tables;
- chains;
- default policy;
- interfaces;
- actions;
- matching modules:
[edit] Firewall front-ends
[edit] Iptables examples
[edit] Strict firewall
#!/bin/bash
# Loading modules
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
# Reseting filter table
iptables --table filter --flush
iptables --table filter --delete-chain
iptables --table filter --zero
iptables --table filter --policy INPUT DROP
iptables --table filter --policy OUTPUT DROP
iptables --table filter --policy FORWARD DROP
# Reseting nat table
iptables --table nat --flush
iptables --table nat --delete-chain
iptables --table nat --zero
iptables --table nat --policy PREROUTING ACCEPT
iptables --table nat --policy POSTROUTING ACCEPT
iptables --table nat --policy OUTPUT ACCEPT
# Configuring filter table
## Allowing established
iptables --table filter --append INPUT --match state --state ESTABLISHED --jump ACCEPT
iptables --table filter --append OUTPUT --match state --state ESTABLISHED --jump ACCEPT
## Allowing related
iptables --table filter --append INPUT --match state --state RELATED --jump ACCEPT
iptables --table filter --append OUTPUT --match state --state RELATED --jump ACCEPT
## Allowing loop
iptables --table filter --append INPUT --in-interface lo --match state --state NEW --jump ACCEPT
iptables --table filter --append OUTPUT --out-interface lo --match state --state NEW --jump ACCEPT
## Allowing outgoing
iptables --table filter --append OUTPUT --out-interface eth0 --match state --state NEW --jump ACCEPT
## Allowing incoming
iptables --table filter --append INPUT --in-interface eth0 --protocol tcp --destination-port 22 --match state --state NEW --jump ACCEPT
[edit] Simple router + NAT firewall
iptables --table filter --flush
iptables --table filter --delete-chain
iptables --table filter --zero
iptables --table filter --policy INPUT DROP
iptables --table filter --policy OUTPUT DROP
iptables --table filter --policy FORWARD DROP
iptables --table nat --flush
iptables --table nat --delete-chain
iptables --table nat --zero
iptables --table nat --policy PREROUTING ACCEPT
iptables --table nat --policy POSTROUTING ACCEPT
iptables --table nat --policy OUTPUT ACCEPT
iptables --table filter --append INPUT --match state --state ESTABLISHED --jump ACCEPT
iptables --table filter --append INPUT --match state --state RELATED --jump ACCEPT
iptables --table filter --append OUTPUT --match state --state ESTABLISHED --jump ACCEPT
iptables --table filter --append OUTPUT --match state --state RELATED --jump ACCEPT
iptables --table filter --append FORWARD --match state --state ESTABLISHED --jump ACCEPT
iptables --table filter --append FORWARD --match state --state RELATED --jump ACCEPT
iptables --table filter --append INPUT --match state --state NEW --in-interface lo --jump ACCEPT
iptables --table filter --append OUTPUT --match state --state NEW --out-interface lo --jump ACCEPT
iptables --table filter --append INPUT --match state --state NEW --in-interface eth0 --protocol tcp --destination-port 22 --jump ACCEPT
iptables --table filter --append INPUT --match state --state NEW --in-interface eth0 --match mac --mac-source xx:xx:xx:xx:xx:xx --jump ACCEPT
iptables --table filter --append OUTPUT --match state --state NEW --out-interface eth0 --jump ACCEPT
iptables --table filter --append FORWARD --match state --state NEW --in-interface eth0 --match mac --mac-source xx:xx:xx:xx:xx:xx --jump ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 --source 192.168.1.0/24 --jump SNAT --to-source 100.100.100.100
