townx - Simple firewall for Ubuntu using iptables - Comments

Steve

Steve — Mon, 21 Nov 2011 20:27:08 -0600

I think it is related to the network card that I have. I try your script which I thought it got something to do with my error, but still fail. Thank you.

Steve

Steve — Thu, 17 Nov 2011 22:57:44 -0600

I think this is nice. I try your script which I thought it got something to do with my error, but still fail. Thank you for you iptables script. I have used your script every time I format my Linux machines. Its very handy.

Your iptables script

James — Fri, 06 Aug 2010 02:50:30 -0500

Thanks for your script, very nice. I especially like the part about update-rc.d. Your iptables script and the info on update-rc.d has given me a starting point and inspired me to delve deeper into iptables and start-up procedures in general.

All the best,
James

Hi,I have some problems

Guest — Sun, 01 Aug 2010 03:45:59 -0500

Hi,I have some problems about iptables rules under Ubuntu .
Is it necessary to create some script llike before to build the firewall,Will the rules got lost when I restart the server.

I create a simple firewall with the function of NAT,then restart the server.
type commands below in the terminal:
iptables -L -v

But display nothing.
And it seemd that the NAT function and the rules made last time are still available to use.

Hoping for your email.
Thanks.

That might be the case now

elliot — Fri, 23 Apr 2010 17:21:53 -0500

That might be the case now (I notice Fedora now comes with default firewall rules, which I'm pretty sure it never used to). It wasn't the case on Ubuntu a few years ago when I wrote this article, however.

Time passes, things change :)

Is this necessary?

Ian — Thu, 22 Apr 2010 12:46:00 -0500

As far as I was aware, the default ubuntu firewall rules block all unsolicited incoming traffic.

What does this do that is not already happening?

Or am I missing something obvious?

My example got formatted

Guest — Fri, 05 Mar 2010 22:55:14 -0600

My example got formatted queerly. The 1's are actually script comments. Cheers!

This worked perfectly for my

Guest — Fri, 05 Mar 2010 22:51:27 -0600

This worked perfectly for my needs. Thanks!

For those who want to ACCEPT specific ports for services like HTTPD, be sure to put those rules before the DROP rules. I fiddled with this for an hour before I figured out that the first rule that matches is the one that gets applied.

eg.

Allow specific TCP inputs
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT # ssh
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT # http

iptables -A INPUT -i eth1 -p tcp --dport 3306 -s 10.176.84.219 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 3306 -s 10.176.85.10 -j ACCEPT

drop everything else
iptables -A INPUT -i eth+ -p udp -j DROP
iptables -A INPUT -i eth+ -p tcp -m tcp --syn -j DROP

I was once try out the

WeightLoss Coach — Sat, 07 Feb 2009 10:39:14 -0600

I was once try out the ubuntu, but end up keep getting error on the eth0, in which I think it is related to the network card that I have. I try your script which I thought it got something to do with my error, but still fail. Would a firewall cause my eth0(network card) to have such error? I've tried changed few cards which is still the same.

firewall init.d script

Guest — Mon, 05 Jan 2009 16:57:46 -0600

if you change the POLICIES to DROP and run the init.d script with anything other than a "start" argument, you will flush your rules, but since the policy is DROP , you will not be able to access

Thanks. That does look like

elliot — Tue, 21 Oct 2008 13:26:59 -0500

Thanks. That does look like an improvement. Like I said in the post, I'm not really an iptables expert!

Ooops! Forgot the LocalHost...

Lifenstein — Sun, 19 Oct 2008 18:03:15 -0500

iptables -A INPUT -i lo -j ACCEPT

Simpler Alternative (?)

Lifenstein — Sun, 19 Oct 2008 17:48:21 -0500

For a personal home computer (running no services for the outside world), here is a simpler version :

#!/bin/bash
############################################################
#---- Script to setup a simple firewall using iptables -----
###
# * Blocks all incoming connections, except those opened by
# me, or related to already open connections
# * Blocks all forward requests
# * Allows all outgoing connections
###
############################################################

# Clearing all previous rules
iptables -F
# Setting Default Policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Allowing already-established and related-incoming connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Only if you're running a web

elliot — Sat, 02 Aug 2008 15:40:41 -0500

Only if you're running a web server :)

firewall

Guest — Thu, 08 May 2008 03:01:53 -0500

Hi,
Great script - I've used it as the starter for my setup.

ShieldsUP notes that your script shows ports 0 and 1 as closed rather than in stealth mode, and also doesn't drop ICMP packets - meaning that if the machines are directly attached to the internet via ppp, or with an ADSL modem with no firewall, then they can be discovered.

Also your script doesn't handle dialup connections.

The following changes mitigates against these:

drop everything else on ppp
iptables -A INPUT -i ppp+ -p udp -j DROP
iptables -A INPUT -i ppp+ -p tcp -m tcp --syn -j DROP
iptables -A INPUT -i ppp+ -p icmp -j DROP
Explcitly deal with port 0
iptables -A INPUT -j DROP -p tcp --sport 0
iptables -A INPUT -j DROP -p udp --sport 0
iptables -A INPUT -j DROP -p tcp --dport 0
iptables -A INPUT -j DROP -p udp --dport 0
Explcitly deal with port 1
iptables -A INPUT -j DROP -p tcp --sport 1
iptables -A INPUT -j DROP -p udp --sport 1
iptables -A INPUT -j DROP -p tcp --dport 1
iptables -A INPUT -j DROP -p udp --dport 1

regards

Colin

Simple firewall for Ubuntu using iptables

elliot — Wed, 05 Apr 2006 09:36:10 -0500

Linux's built-in firewall iptables is very useful, but pretty hard to configure. I used to use lokkit, but this caused problems when moving between different networks. I was also having problems with the network configuration tools in Ubuntu, which work but aren't automatic enough for me. And I wanted to be able to switch the firewall and the network configuration simultaneously.

In the end, I bit the bullet and worked out how to write a simple iptables script. Here it is:

#!/bin/bash
# flush all chains
iptables -F
# set the default policy for each of the pre-defined chains
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# allow establishment of connections initialised by my outgoing packets
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# drop everything else
iptables -A INPUT -i eth+ -p udp -j DROP
iptables -A INPUT -i eth+ -p tcp -m tcp --syn -j DROP
# accept anything on localhost
iptables -A INPUT -i lo -j ACCEPT

I have network interfaces on eth0 and eth1, so this script has rules which cover both; if your interfaces have different names, you will need to edit the rules to cover that. This drops everything incoming, except for connections which were initially established by my outgoing packets (thanks Luke! - see comments); which means it's no good for servers.

I put this script in /opt/scripts/iptables.script and made it executable. Once you run it, you can find out whether it has worked by displaying your current iptables rules with:

sudo iptables -L -v

I then created a simple init script to start/stop the firewall (in /etc/init.d/firewall):

#!/bin/bash
if [[ $1 == start ]] ; then
  sudo /opt/scripts/iptables.script
else
  sudo iptables -F
fi

Then I symlinked this into my /etc/rc.* directories using the update-rc.d tool, so the firewall starts before the network comes up:

update-rc.d firewall start 20 2 3 4 5 . stop 99 0 1 6 .

I find having this script helps me a lot. I have it integrated with a start/stop script with my network, so I can easily switch network and firewall configuration from the command line.