Firewall

Linux iptables Basic Examples

The following are simple iptables firewalls for linux. I use these as starter firewalls when I setup a machine. I don’t like using iptables-restore. I prefer to simply script the iptables commands that I would type at the command line.

Most of these scripts start by reinitializing iptables, so you will loose any rules, chains, or accounting information that iptables knows about. For example, this deletes any policies, chains, and rules in place.

iptables -P INPUT ACCEPT # open up default policy on built-in chain
iptables -P OUTPUT ACCEPT # open up default policy on built-in chain
iptables -P FORWARD ACCEPT # open up default policy on built-in chain
iptables -F # delete all rules from all chains
iptables -X # delete all user chains (non built-in chains)

Block everything firewall

This blocks everything. You will only be able to access the machine from the console. Don’t do this if you are working remotely because your connection will instantly be dropped. Another way to do this would be to disable the network interface. The advantage of blocking everything with iptables instead of shutting down a network interface is that this leaves the kernel network layer still running. Running apps will not complain about the network being unavailable. This also blocks all network interfaces at once, so if you have a machine with multiple interfaces this will take care of them all.

#!/bin/sh
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Allow everything firewall

This opens up everything. It’s the exact opposite of Block everything. The firewall is still technically running, but every packet is allowed through. This is the safe way to open the firewall without accidentally locking yourself out.

#!/bin/sh

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -F

iptables -X

Minimal emergency firewall

I use this to shut down everything except SSH port 22. This is my panic script. If something seems suspicious then I use this script to put a machine into as safe a state as possible while still allowing remote SSH connections.

Note that a machine with these rules won’t even be visible on the network. If you want to scan it with nmap you will have to use “nmap -P0″ which scans without first checking with ICMP (ping).

#!/bin/sh

# Minimal emergency firewall (block everything except SSH).

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -F

iptables -X

iptables -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT

iptables -P INPUT DROP

iptables -A OUTPUT -p tcp -m tcp –sport 22 -j ACCEPT

iptables -P OUTPUT DROP

Basic firewall init.d script

For my real firewall I use an init.d script. The following init script is based on the scripts given previously. Save this in /etc/init.d/firewall. This includes options to start, stop, or show the status of iptables. The “stop” command doesn’t really stop iptables. It just deletes all firewall rules.

#!/bin/sh

#

# This is a simple iptables firewall script.

# This can be used stand-alone or put in /etc/init.d/firewall.

# This works on both Ubuntu and RedHat systems.

# On Ubuntu, run “update-rc.d firewall defaults” to install this on startup.

# On RedHat, run “chkconfig –add firewall” to install this on startup.

# Note that RedHat has its own iptables init script that needs to be turned

# off if this script is to be used.

#

# Noah Spurrier

# $Id: firewall 100 2007-10-30 23:31:14Z noah $

#

# chkconfig: 2345 08 92

# description: This configures iptables.

#

### BEGIN INIT INFO

# Provides: firewall

# Required-Start: $network $local_fs $remote_fs

# Required-Stop: $network $local_fs $remote_fs

# Default-Start: 2 3 4 5

# Default-Stop: S 0 1 6

# Short-Description: This loads iptables with firewall rules.

# Description: This loads iptables with firewall rules. Placed this in /etc/init.d.

# This isn’t technically a daemon control script.

# This just puts a familiar interface around iptables.

### END INIT INFO

PATH=/usr/sbin:/usr/bin:/sbin:/bin

case “$1″ in

start)

# Flush any old policies and rules.

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -F

iptables -X

# New TCP connections must be SYN packets, else DROP

# iptables -A INPUT -i eth0 -p tcp ! –syn -m state –state NEW -j DROP

iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP

# Drop illegal packets

iptables -A INPUT -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP

iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP

iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP # NULL packets

iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP

iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

iptables -A INPUT -p tcp –tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

iptables -A INPUT -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

#

# Accept some remote connections.

#

# SSH

iptables -A INPUT -p tcp –dport 22 -j ACCEPT

# HTTP

iptables -A INPUT -p tcp –dport 80 -j ACCEPT

# HTTPS

iptables -A INPUT -p tcp –dport 443 -j ACCEPT

# SMTP

iptables -A INPUT -p tcp –dport 25 -j ACCEPT

# IMAP4 SSL

iptables -A INPUT -p tcp –dport 993 -j ACCEPT

# POP3 SSL

iptables -A INPUT -p tcp –dport 995 -j ACCEPT

# DNS

iptables -A INPUT -p udp –dport 53 -j ACCEPT

iptables -A INPUT -p tcp –dport 53 -j ACCEPT

# VPN

#iptables -A INPUT -i tun+ -j ACCEPT

# # VMware

# iptables -A INPUT -p tcp –dport 902 -j ACCEPT

# # SNMP

# iptables -A FWALL-INPUT-p udp -m udp –dport 161 -j ACCEPT

# iptables -A FWALL-INPUT-p udp -m udp –sport 1023:2999 -j ACCEPT

# VNC — This is normally a bad idea.

#iptables -A INPUT -p tcp –dport 5900 -j ACCEPT # VNC server

#iptables -A INPUT -p tcp –dport 5500 -j ACCEPT # listening client

# A better way to do this is to allow localhost connections and then

# use SSH port tunneling to expose VNC to remote connections.

#iptables -A INPUT -p tcp -s 127.0.0.1 –dport 5900 -j ACCEPT # VNC server

#

# Accept some localhost connections.

#

# BIND RNDC

iptables -A INPUT -p tcp -s 127.0.0.1 –dport 953 -j ACCEPT

# IMAP4

iptables -A INPUT -p tcp -s 127.0.0.1 –dport 143 -j ACCEPT

# POP3

iptables -A INPUT -p tcp -s 127.0.0.1 –dport 110 -j ACCEPT

# MySQL

iptables -A INPUT -p tcp -s 127.0.0.1 –dport 3306 -j ACCEPT

# # PostgreSQL

# iptables -A INPUT -p tcp -s 127.0.0.1 –dport 5432 -j ACCEPT

# # Oracle

# iptables -A INPUT -p tcp -s 127.0.0.1 –dport 1521 -j ACCEPT

# # Oracle TTC

# iptables -A INPUT -p tcp -s 127.0.0.1 –dport 2483 -j ACCEPT

# # Oracle TTC SSL

# iptables -A INPUT -p tcp -s 127.0.0.1 –dport 2484 -j ACCEPT

# # Subversion svnserve (or just use the svn+ssh: URL scheme)

# iptables -A INPUT -p tcp -s 127.0.0.1 –dport 3690 -j ACCEPT

# Allow some ICMP (ping)

# ICMP is low priority so I put this after other rules.

iptables -A INPUT -p icmp –icmp-type 0 -j ACCEPT

iptables -A INPUT -p icmp –icmp-type 3 -j ACCEPT

iptables -A INPUT -p icmp –icmp-type 11 -j ACCEPT

iptables -A INPUT -p icmp –icmp-type 8 -m limit –limit 10/second -j ACCEPT

iptables -A INPUT -p icmp -j DROP

# Match related and established state connections.

# This allows client-side connections such as ftp work properly.

iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

# Default policies to handle everything not covered by a rule.

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

;;

stop)

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -F

iptables -X

;;

status)

iptables -L -v

;;

*)

echo “Usage: $0 {start|stop|status}” >&2

exit 1

;;

esac

exit 0

Funny story

At one time I had an iptables rule on all my machines that limited pings to 1 per second. By default the ping command sends 1 ICMP packet per second. Everything was fine and eventually I forgot about the rule. Months later I noticed that mtr was reporting high packet loss to a machine. A co-worker helped me investigate and the packet loss only got worse. Then the machine would intermittently stop accepting new SSH connections. All outside connections go through a load balancer. The load balancer is setup to probe each cluster and if a machine does not respond to a ping every 10 minutes then the load balancer removes that machine from rotation (even if there is only one machine in a cluster). So as we tried to debug our packet loss with ping and mtr it would cause iptables to block ICMP and if the load balancer happened to be doing a probe then it would take the machine off the network. We thought things were really bad because we couldn’t even connect to the server through through the load balancer interface. Huge packet loss and dropped SSH connections — we were thinking to check for bad cables, bad switch, or a bad load balancer. Then we checked the load balancer logs and saw that it had removed the machine because of failed ping probes. Eventually I tried shutting off iptables and the problem went away. Finally we decided to look at the iptables rules which revealed the rule that was causing all the grief. This will cause apparent packet loss if two engineers both ping at the same time:

iptables -A INPUT -p icmp –icmp-type 8 -m limit –limit 1/second -j ACCEPT

Load firewall on boot

When you shutdown your server all the iptables rules will be lost. You need to run a firewall script every time you boot.

RedHat

For RedHat you need to edit:

/etc/sysconfig/iptables

Don’t confuse this with /etc/sysconfig/iptables-config. Also note that RedHat has a tool called system-security-level that overwrites /etc/sysconfig/iptables, so if you run system-security-level you will loose your changes. You can edit the file manually or you can use system-security-level. Choose one or the other, not both.

You can also setup the firewall the way you want using the iptables command and then save the settings using RedHat’s inti.d script:

/etc/init.d/iptables save

Ubuntu/Debian

For Ubuntu/Debian you can put an init script into /etc/init.d then link to an ‘S’ file in /etc/rc2.d

cp firewall /etc/init.d/firewall

chmod 755 /etc/init.d/firewall

cd /etc/rc2.d/

ln -s ../init.d/firewall S99firewall

Traffic shaping

Most iptables installs come with the “TOS” module (Type Of Service):

iptables -m tos -h

This lets you set priority options for packets.

This is a complex topic. I need to expand this with a simple setup that shows how to boost priority of interactive applications like SSH and possibly HTTP, while lowering priority for everything else. | Gentoo Wiki is one of the better documentation sources I have found.

TCNG seems interesting. I have yet to try it:

http://tcng.sourceforge.net/

I tried this without much luck:

http://lartc.org/howto/lartc.cookbook.ultimate-tc.html#AEN2210

This page also has some notes: http://www.void.gr/kargig/blog/2005/07/27/traffic-shaping-a-dsl-line-with-linux/

Handy commands Ban –

block an annoying machine

This blocks a specific IP address from reaching your server. This is useful if you are getting annoying traffic from another machine and you want to get rid of them. Replace 255.255.255.255 with the IP address you want to drop.

iptables -I INPUT -j DROP -s 255.255.255.255

I set these aliases in my .bash_aliases file (sourced by .bashrc):

alias ban=’iptables -I INPUT -j DROP -s’ alias unban=’iptables -D INPUT -j DROP -s’

A very useful tool to do this automatically is fail2ban.

Show packet and byte counts

This shows the counters for each rule in a chain. This shows the number of packets and bytes that have gone through a specific chain. You can use this to measure traffic.

iptables -L INPUT -v

Source : http://www.noah.org/wiki/index.php/Iptables