Starting on a new Gentoo box, I was putting together a new firewall setup, and I thought I'd put my hacked down firewall setup script here so I'll have something to start with next time. I used to try some of the other "higher level" tools to generate my firewall, but eventually they all got on my nerves. It was worth it, finally, to sit down for a couple of hours and understand what iptables does. In a lot of ways I prefer it to the Solaris ipf firewall tools now, but that is just personal preference, they are both very capable. I am hardly an expert on either one (or firewalls in general), but they can be useful tools, and provide some peace of mind. I also use this in conjunction with TCP wrappers (/etc/hosts.allow and /etc/hosts.deny).
EDIT: The original script has been modified below. They changed state tracking for established connections to use the "conntrack" module, and so I've updated what I use by default, and I'd like to not lead anyone astray if they find this old entry. Nor do I want to confuse myself the next time I need to do this.
Anyway, here is a very basic firewall setup script:
#!/bin/sh
# Flush all the rules
/sbin/iptables -F
# Set the default policy for inbound/forwarded/outbound traffic.
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
# Accept anything on loopback interface.
/sbin/iptables -A INPUT -i lo -j ACCEPT
# Accept traffic from this box to its own IP (e.g. 192.168.1.1).
/sbin/iptables -A INPUT -s 192.168.1.1/32 -j ACCEPT
# Allow state tracking.
#/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Accept incoming SSH connections.
# You may want to add some source (-s) addresses to this one, depending on
# your security policy.
/sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# Accept incoming connections from 192.168.1.0/24 to http/https.
/sbin/iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport http -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport https -j ACCEPT
# Display all your rules.
/sbin/iptables -L -v -n --line-numbers
# IPv6 example - most people should not need this today, but I use IPv6 networking
# internally just for fun.
/sbin/ip6tables -F
/sbin/ip6tables -P INPUT DROP
/sbin/ip6tables -P FORWARD DROP
/sbin/ip6tables -P OUTPUT ACCEPT
/sbin/ip6tables -A INPUT -i lo -s ::1/128 -j ACCEPT
# This address is specific to my host. Get your own. This prefix is for autoconfig anyway.
/sbin/ip6tables -A INPUT -s fe80::4a5b:39ff:fe67:9b7/128 -d fe80::4a5b:39ff:fe67:9b7/128 -j ACCEPT
#/sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport ssh -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport http -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport https -j ACCEPT
/sbin/ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
/sbin/ip6tables -L -v -n --line-numbers
After you run the script, the rules will be installed. You have to be careful if you're doing this on a box you can't get into via other means (iLO, DRAC, physical console). When testing remotely I sometimes run this with a script in cron to clear all the rules.
A cron entry like this will reset the rules on the quarter hour, in case you get locked out:
0,15,30,45 * * * * /sbin/iptables-restore < /root/firewall_reset
And /root/firewall_reset contains:
*filter :INPUT ACCEPT [164:15203] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [147:63028] COMMIT
\*mangle
:PREROUTING ACCEPT [164:15203]
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
:POSTROUTING ACCEPT [147:63028]
COMMIT
\*nat
:PREROUTING ACCEPT [14:672]
:POSTROUTING ACCEPT [9:684]
:OUTPUT ACCEPT [9:684]
COMMIT
One you are satisfied with your firewall, you can save the rules with:
/etc/init.d/iptables save
/etc/init.d/ip6tables save
Obviously, make sure you disable the cron job above.