Sample Rules for iptables

I have been trying to find a perfect beginner’s script for iptables. You know, something to get you started as you customize rules for your own system. I settled on something as below. What I have tried to do is use the longer version of flags to make things more understandable for beginners. I have also tried to provide comments to try to explain the “why” since the rules themselves provide the “how”. I assume that we only have one interface, say eth0, so I omit mentioning the interface, except in a few places.

# Since these rules are for the Filter queue type, we add the following
*filter
# I assume (correct me if I am wrong) that the following means
# by default accept everything in the Input, Forward, and Output chains,
# then match the rules that follow
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# We accept everything from the local interface, lo, because
# we want it to work at all times without restrictions
--append INPUT --in-interface lo --jump ACCEPT
# By default, if a connection is already established,
# or a new but similar to an established connection is attempted, we allow it.
# Again, I might have misunderstood the concept of Related state.
--append INPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT
# No source and destination ports may be 0 (I assume). If it is so, we drop it
--append INPUT --protocol tcp --match tcp --destination-port 0 --jump DROP
--append INPUT --protocol udp --match udp --destination-port 0 --jump DROP
--append INPUT --protocol tcp --match tcp --source-port 0 --jump DROP
--append INPUT --protocol udp --match udp --source-port 0 --jump DROP
#
# This is where you might want to put your customized rules
# <Start Customization>
#
# We want to be able to accept SSH connections from any IP.
# To secure SSH, we can do it within the sshd_config file.
# Of course, if you expect SSH connections from particular IPs only,
# you can restrict here as the first line of defense.
--append INPUT --protocol tcp --match tcp --destination-port 22 --jump ACCEPT
# Personally I don't like everyone to be allowed to ping my servers.
# But certain situations, such as you being on the road a lot of the time,
# may warrant allowing ping from anywhere, as we are doing below
--append INPUT --protocol icmp --match icmp --icmp-type 8 --jump ACCEPT
# If your server runs a SIP application, you may want to allow traffic on port 5060
--append INPUT --protocol udp --match udp --destination-port 5060 --jump ACCEPT
#
#
# <End Customization>
#
#
# All traffic which does not match the rules above should be dropped by default
--append INPUT --jump DROP
--append FORWARD --jump DROP
# Allow all traffic going to the outside world
# because we do not want to block anything in that direction
--append OUTPUT --jump ACCEPT
# We save the rules
COMMIT

I could not have shared these rules with you without help from Linux Firewalls Using iptables, Netfilter IPTables Mini Howto, Sample iptables ruleset, and Debian wiki on iptables.

Advertisements

Comments are closed.

%d bloggers like this: