February 24, 2010
I have been trying to find a perfect beginner’s script for iptables. You know, something to get you started as you customize rules for your own system. I settled on something as below. What I have tried to do is use the longer version of flags to make things more understandable for beginners. I have also tried to provide comments to try to explain the “why” since the rules themselves provide the “how”. I assume that we only have one interface, say eth0, so I omit mentioning the interface, except in a few places.
# Since these rules are for the Filter queue type, we add the following
# I assume (correct me if I am wrong) that the following means
# by default accept everything in the Input, Forward, and Output chains,
# then match the rules that follow
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# We accept everything from the local interface, lo, because
# we want it to work at all times without restrictions
--append INPUT --in-interface lo --jump ACCEPT
# By default, if a connection is already established,
# or a new but similar to an established connection is attempted, we allow it.
# Again, I might have misunderstood the concept of Related state.
--append INPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT
# No source and destination ports may be 0 (I assume). If it is so, we drop it
--append INPUT --protocol tcp --match tcp --destination-port 0 --jump DROP
--append INPUT --protocol udp --match udp --destination-port 0 --jump DROP
--append INPUT --protocol tcp --match tcp --source-port 0 --jump DROP
--append INPUT --protocol udp --match udp --source-port 0 --jump DROP
# This is where you might want to put your customized rules
# <Start Customization>
# We want to be able to accept SSH connections from any IP.
# To secure SSH, we can do it within the sshd_config file.
# Of course, if you expect SSH connections from particular IPs only,
# you can restrict here as the first line of defense.
--append INPUT --protocol tcp --match tcp --destination-port 22 --jump ACCEPT
# Personally I don't like everyone to be allowed to ping my servers.
# But certain situations, such as you being on the road a lot of the time,
# may warrant allowing ping from anywhere, as we are doing below
--append INPUT --protocol icmp --match icmp --icmp-type 8 --jump ACCEPT
# If your server runs a SIP application, you may want to allow traffic on port 5060
--append INPUT --protocol udp --match udp --destination-port 5060 --jump ACCEPT
# <End Customization>
# All traffic which does not match the rules above should be dropped by default
--append INPUT --jump DROP
--append FORWARD --jump DROP
# Allow all traffic going to the outside world
# because we do not want to block anything in that direction
--append OUTPUT --jump ACCEPT
# We save the rules