iptables firewall templates

I use iptables firewalls on every server I administer, including all of our core routers (which run Linux too). There are lots of tools to easily configure a firewall. For simple tasks, Ubuntu now installs ufw by default, which has both command-line and GUI tools. For servers, consider Webmin.

If you want to do something more complicated, or prefer editing iptables rules yourself, you’ll have to do it by hand. When I first started doing this I found a template online and edited it to suit my need. Over time I’ve learned a lot more about iptables, and my templates have evolved.

Here is a simple basic firewall. The outline is taken from the output of iptables-save, and then hand-edited. I’ve left comments in to explain what each section does.

Edit the last two lines for your specific services, and then save the file as /etc/iptables.up.rules and restore it:

iptables-restore < /etc/iptables.up.rules

The above is a default-deny firewall which allows all outgoing and loopback traffic, but filters incoming connections. This means that anything not specifically allowed will be dropped without notice.

Suppose you want to do this at your router to protect all your servers. Assuming:

  1. The router is the default gateway for both servers
  2. server1 at 192.168.0.100 is a mail server offering SMTP, POP, POP-SSL, IMAP, and IMAP-SSL
  3. server2 at 192.168.0.101 is a web server offering HTTP, HTTPS, and DNS
  4. all servers offer SSH, including the router

For routed (forwarded) traffic, you must use the FORWARD chain. In addition to ACCEPT and DROP, chains can call other named chains. I recommend creating a chain for each server you want to protect.

It's possible to reduce complexity by putting the common rules in another chain and calling it from both INPUT and FORWARD:

Where to save and how to load your rules depends on the distribution. Ubuntu and Debian don't have a standard way to load an iptables ruleset on boot. So I borrowed Webmin's practice of putting a line in /etc/network/interfaces:

Users of RPM-based systems like Fedora, RHEL, and CentOS have it easier. Save your rules in /etc/sysconfig/iptables, and they'll be loaded at boot or whenever you restart networking. However, Red Hat systems come with a simple firewall manager named lokkit, which creates its own unusual chains like "RH-Firewall-1-INPUT". Here is an example from a CentOS 4 server I administer:

You should never expect your hand-edited files to work with a firewall management tool like ufw or lokkit. However, if you are careful to obey the expected format these tools use, you can make small edits by hand while still using the tool. For instance, all of my templates are compatible with Webmin's firewall editor.

Tags: , , ,

  1. odi’s avatar

    I suggest the FORWARD table should not do state based filtering. The state is kept on either end of the connection and trying to follow that state in a router in between is futile. Just think what happens on packet loss. Duplicate ACKs or retransmitted packets MUST NOT be dropped by a router, as it can not know if the original packet has reached the destination. The FORWARD table should merely perform access restrictions and address validation. Filtering is the job of the destination.

    Reply

    1. Tyler Wagner’s avatar

      Wrong, and wrong. Filtering is precisely the job of a stateful firewall between the host and attackers. And duplicate ACKs or retransmitted packets will not be dropped by the above firewall – they are recognized by the ESTABLISHED,RELATED rule.

      Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">