• We had to restore from a backup today after a failed software update. Backup was from 0000 EDT and restored it at 0800 EDT so we lost about 8hrs. Today is 07/20/2024. More info here.

Basic Firewall with iptables

S

steelmanronald06

Guest
This how-to is about making a basic firewall.

1. You will need root priviledges (one way to become root is to run the command su from a terminal and then type the root password).

Now, open the file /etc/rc.d/rc.local in a text editor. Add the text /etc/rc.d/rc.firewall on a new line at the end of the file. Save the file.
Note that this entry makes the firewall start on your computer at boot. If you want to disable the firewall, just remove or comment this line (put a # at the start of the line).

2. Now create a new file called rc.firewall in the /etc/rc.d directory and put the text below
Code:
#!/bin/sh


#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables

#flush existing rules
$IPTABLES -F INPUT

#This allows all data that has been sent out for the computer running the firewall
# to come back 
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp


#Allow traffic from ethernet adapter eth1 to pass through if 
#you have a network, or 
#as using linux as a router for internet etc. 
#Your first ethernet card is eth0 and the second would be eth1 etc. 
#$IPTABLES -A INPUT -i eth1 -j ACCEPT


#Allow incoming FTP requests
#$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT

#Allow incoming SSH requests
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

#Allow incoming HTTP requests (to Web server)
#$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT


#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT


#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in 
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on 
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP

#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog


Save the file.

Note
Note that every line that starts with a # is only a comment.


3. Run the command chmod 755 /etc/rc.d/rc.firewall to make the script executable.

4. Run the command /etc/rc.d/rc.firewall to start the firewall.

Remember this firewall is by no means perfect, but it does provide a basic level of protection and make you "stealthed". (Stealthed means that your computer is invisible to most kinds of tests, but again this is not perfect)
 


Personally I use CSF, which I find great for a free firewall. Guess something like this is handy if you want to work from scratch, with no third party software.
 
Very nice tutorial. Thanks for sharing. I was looking for a way to make a firewall on my Mint system, and this looks perfect. Once again, thank you very much for sharing.
 
Very nice! A basic level of protection is always better than not being protected in the first place. At present i use CSF & LFD and they're really performing well.

But a couple of months ago when i was setting up a VPN i had to play around with IPtables and temporarily have CSF disabled to test the VPN's functionality.

I figured that i had to set Pre and Post Routing rules as well as allow IPv4 Forwarding and the routing had to be done via IPtables which i found was very impressive.
 
Firewall is really important when it comes to ensuring security for your computer, but I am still a bit iffy on the topic of iptables. What exactly is it? Is it some sort of firewall software? It is used to enhance the security?
 
Smart :) I need to complete some firewalls on a couple of machines so I will be taking a good look at this.
 
Seems a free tutorial and useful for many of the professionals. Even though, I never tried out to turn on the firewall by typing commands, as such I was in doubt that making the use of a "#" may not create any other request to run rather than that of firewall, as I am a slight weak in linux.
 

Members online


Top