Username/Email:  Password: 
TwitterFacebookFlickrRSS
Home

Mastering IPTables, Part I

Oct 02, 2008  By Elliot Isaacson
 in

Linux comes with a powerful firewall built-in, although the interface can be a little intimidating. This is the first in a multi-part tutorial on how to master basic and not-so-basic IPTables functionality and create the perfect firewall for your home network.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

DROP everything

iWantToKeepAnon's picture
Submitted by iWantToKeepAnon (not verified) on Wed, 04/08/2009 - 18:44.

I even set OUTPUT to drop ... what happens if you get a virus or a worm? (does linux have one of those?)

Or somebody on your network (most likely w/ a windows machine) gets a virus or worm? Those packets might go thru FORWARD but if they somehow hack into your firewall then those packets would be thru OUTPUT.

I go way paranoid on my rules. I set interface names, I allow each protocol out 1 by 1, set expected ip ranges, always tcp reset when I reject, etc.... It may be a pain to setup, but I only do that once; and it protects me better 24x7 IMO.

vim user, set

Anonymous's picture
Submitted by Anonymous (not verified) on Thu, 11/06/2008 - 13:17.

vim user,

set bg=dark

Thanks.

seems like it keeps getting

Anonymous's picture
Submitted by Anonymous (not verified) on Sat, 11/01/2008 - 11:59.

seems like it keeps getting hung up on digg.

Does anyone else have troubles viewing this?

Anonymous's picture
Submitted by Anonymous (not verified) on Tue, 10/28/2008 - 14:23.

I took a snapshot.

http://fayettedigital.com/images/firewall.png

I can't read much of what's on the screen. Red on black is very hard to read and I have no idea what the colors are for the text I can't see. This is a fairly new system with a nvidia card running Ubuntu Hardy to a 20" SGI monitor (hi res). I'm viewing it with Firefox 3.x.

Thanks,
Jim.

Transcript

Elliot Isaacson's picture
Submitted by Elliot Isaacson on Fri, 10/17/2008 - 09:19.

Greetings,

For all future videos I will include links to the transcript and script (if applicable). Here is the transcript and firewall script for this one:

Transcript: http://dark-code.bulix.org/z5svtd-68680?raw
Script: http://dark-code.bulix.org/y8t9ur-68683

These will be available in the video description from now on.

Elliot

Gracias por el post, era muy

Anonymous's picture
Submitted by Anonymous (not verified) on Fri, 10/17/2008 - 05:48.

Gracias por el post, era muy interesante leer

your gay

daddya's picture
Submitted by daddya (not verified) on Thu, 10/16/2008 - 12:12.

your gay

help

Anonymous's picture
Submitted by Anonymous (not verified) on Wed, 10/15/2008 - 07:34.

hi iluv linux "fedore" mainly....!
i dont hav much experience of linux.
if anyone can help me.
i started a wireless isp business and running a "mikrotik AP" router.
my internet connection runs from (PC-1) with DSL & from there link to Linux Server with (Radius Manager) and also Link to the "Mikrotik AP".

My (Mikrotik AP) is already good firewall but thats for blocking my clients, i need advise or help on setting firewall for the othe side (my dsl router) to protect my main pc with windows xp & my linux radius manager pc. (bellow is a my setup connection)

Isp-----windows xp--------radius manager<<<<--->>>>mikrotok<<<<<----->>>>>Wireless Clients

IPTables Part 1

Josh's picture
Submitted by Josh (not verified) on Wed, 10/08/2008 - 11:51.

I was able to copy the script Elliot creates while watching the video. It's not exactly the same, but captures all the same stuff

#!/bin/sh

#locate iptables (this will cause issues if the command fails, but is flexible)
IPT=`which iptables`

#or possibly the following, but on CYGWIN it's not in the right format)
#IPT=`whereis iptables`

#flush iptables
$IPT -F

#-----------------------
# POLICIES
#-----------------------

#
# DEFAULT POLICIES
#-----------------------

#For outbound traffic
$IPT -P OUTPUT ACCEPT
#For inbound traffic
$IPT -P INPUT DROP
#For routed traffic is to drop for now
$IPT -P FORWARD DROP

#
# ALLOWED INBOUND TRAFFIC
#-----------------------------

#ALLOW loopback traffic
$IPT -A INPUT --in-interface lo -j ACCEPT

#ALLOW http
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
#ALLOW ssh
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
#ALLOW Responses
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

IPTables script

Josh's picture
Submitted by Josh (not verified) on Wed, 10/08/2008 - 12:04.

PS. I did not verify the script works, so don't shoot any flaming arrows my way, but I will update it if I find any

The text in the captured screen in not clear

Anonymous's picture
Submitted by Anonymous (not verified) on Tue, 10/07/2008 - 14:53.

The text in the captured screen in not clear, I can not read it.

Advise: use black background and white foreground, do not use colors.

Shell Script (Text on screen)

Lazydj98's picture
Submitted by Lazydj98 (not verified) on Wed, 10/08/2008 - 11:54.

I recreated the script Elliot used. It's not exactly the same, but has the same functionality

#!/bin/sh

#locate iptables (this will cause issues if the command fails, but is flexible)
IPT=`which iptables`

#or possibly the following, but on CYGWIN it's not in the right format)
#IPT=`whereis iptables`

#flush iptables
$IPT -F

#-----------------------
# POLICIES
#-----------------------

#
# DEFAULT POLICIES
#-----------------------

#For outbound traffic
$IPT -P OUTPUT ACCEPT
#For inbound traffic
$IPT -P INPUT DROP
#For routed traffic is to drop for now
$IPT -P FORWARD DROP

#
# ALLOWED INBOUND TRAFFIC
#-----------------------------

#ALLOW loopback traffic
$IPT -A INPUT --in-interface lo -j ACCEPT

#ALLOW http
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
#ALLOW ssh
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
#ALLOW Responses
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Fantastic tutorial

Anonymous's picture
Submitted by Anonymous (not verified) on Sat, 10/04/2008 - 12:44.

Well done Elliot. Your timing couldn't have been more perfect. IPTables has always been a pain in the butt to understand. Being able to see and hear someone explain how it works is a great way to learn. I have enjoyed watching the video and will definitely tune in for the next part.

I've just installed a new Linux server at work which acts as our internet gateway via an ADSL router modem. It took me two days to setup the iptable rules and it is finally working (after reading lots of HOWTO docs). Now it will be nice to verify that what I have done is actually correct, and be able to understand all the rules I copied from the HOWTO's. ;-)

As for a transcript.
That would be nice, but I simply did the following. If you use Firefox web browser, simply look in your profile's Cache directory for a 10Mb file. That's the local copy of the video clip you watched. Simply copy it out for archiving purposes and for later enjoyment. :-)

Regards,
- Graeme -

Transcript

RandyKramer's picture
Submitted by RandyKramer (not verified) on Fri, 10/03/2008 - 12:43.

+1

Transcript?

Anonymous's picture
Submitted by Anonymous (not verified) on Thu, 10/02/2008 - 14:10.

It would be nice if there were a transcript to these videos. A transcript can be read in a short amount of time to gain knowledge, or skimmed to see if the material is relevant, or used for later reference, or even used to capture notes so all eyes can be on the viewing.

Thank you.