Mastering IPTables, Part I
October 2nd, 2008 by Elliot Isaacson in
Linux comes with a powerful firewall built-in, although the interface can be a little intimidating. This is the first in a multi-part tutorial on how to master basic and not-so-basic IPTables functionality and create the perfect firewall for your home network.
__________________________
Special Magazine Offer -- Free Gift with Subscription
Receive a free digital copy of Linux Journal's System Administration Special Edition as well as instant online access to current and past issues. CLICK HERE for offer
Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.
Delicious
Digg
StumbleUpon
Reddit
Facebook
Post to TwitterSubscribe now!
The Latest
Newsletter
Tech Tip Videos
Recently Popular
From the Magazine
July 2009, #183
News Flash: Linux Kernel 3.0 to include an on-the-go Expresso machine interface! Ok, maybe not, but Linux is definitely going mobile, from phones to e-readers. Find out more inside about Android, the Kindle 2, the Western Digital MyBook II, The Bug, and Indamixx (a portable recording studio). And if you've gone mobile and you been wanting more Emacs in your life then check out Conkeror.
To compliment the mobile we've got the stationary: parsing command line options with getopt, checking your Ruby code with metric_fu, and building a secure Squid proxy. How is this stationary you ask? What can we say? It's not. We just wanted to see if anybody actually read this part of the page :) .
All this and more, and all you have to do is get your hot sweaty hands on the latest copy of Linux Journal.
DROP everything
On April 8th, 2009 iWantToKeepAnon (not verified) says:
I even set OUTPUT to drop ... what happens if you get a virus or a worm? (does linux have one of those?)
Or somebody on your network (most likely w/ a windows machine) gets a virus or worm? Those packets might go thru FORWARD but if they somehow hack into your firewall then those packets would be thru OUTPUT.
I go way paranoid on my rules. I set interface names, I allow each protocol out 1 by 1, set expected ip ranges, always tcp reset when I reject, etc.... It may be a pain to setup, but I only do that once; and it protects me better 24x7 IMO.
vim user, set
On November 6th, 2008 Anonymous (not verified) says:
vim user,
set bg=dark
Thanks.
seems like it keeps getting
On November 1st, 2008 Anonymous (not verified) says:
seems like it keeps getting hung up on digg.
Does anyone else have troubles viewing this?
On October 28th, 2008 Anonymous (not verified) says:
I took a snapshot.
http://fayettedigital.com/images/firewall.png
I can't read much of what's on the screen. Red on black is very hard to read and I have no idea what the colors are for the text I can't see. This is a fairly new system with a nvidia card running Ubuntu Hardy to a 20" SGI monitor (hi res). I'm viewing it with Firefox 3.x.
Thanks,
Jim.
Transcript
On October 17th, 2008 Elliot Isaacson says:
Greetings,
For all future videos I will include links to the transcript and script (if applicable). Here is the transcript and firewall script for this one:
Transcript: http://dark-code.bulix.org/z5svtd-68680?raw
Script: http://dark-code.bulix.org/y8t9ur-68683
These will be available in the video description from now on.
Elliot
Gracias por el post, era muy
On October 17th, 2008 Anonymous (not verified) says:
Gracias por el post, era muy interesante leer
your gay
On October 16th, 2008 daddya (not verified) says:
your gay
help
On October 15th, 2008 Anonymous (not verified) says:
hi iluv linux "fedore" mainly....!
i dont hav much experience of linux.
if anyone can help me.
i started a wireless isp business and running a "mikrotik AP" router.
my internet connection runs from (PC-1) with DSL & from there link to Linux Server with (Radius Manager) and also Link to the "Mikrotik AP".
My (Mikrotik AP) is already good firewall but thats for blocking my clients, i need advise or help on setting firewall for the othe side (my dsl router) to protect my main pc with windows xp & my linux radius manager pc. (bellow is a my setup connection)
Isp-----windows xp--------radius manager<<<<--->>>>mikrotok<<<<<----->>>>>Wireless Clients
IPTables Part 1
On October 8th, 2008 Josh (not verified) says:
I was able to copy the script Elliot creates while watching the video. It's not exactly the same, but captures all the same stuff
#!/bin/sh
#locate iptables (this will cause issues if the command fails, but is flexible)
IPT=`which iptables`
#or possibly the following, but on CYGWIN it's not in the right format)
#IPT=`whereis iptables`
#flush iptables
$IPT -F
#-----------------------
# POLICIES
#-----------------------
#
# DEFAULT POLICIES
#-----------------------
#For outbound traffic
$IPT -P OUTPUT ACCEPT
#For inbound traffic
$IPT -P INPUT DROP
#For routed traffic is to drop for now
$IPT -P FORWARD DROP
#
# ALLOWED INBOUND TRAFFIC
#-----------------------------
#ALLOW loopback traffic
$IPT -A INPUT --in-interface lo -j ACCEPT
#ALLOW http
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
#ALLOW ssh
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
#ALLOW Responses
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
IPTables script
On October 8th, 2008 Josh (not verified) says:
PS. I did not verify the script works, so don't shoot any flaming arrows my way, but I will update it if I find any
The text in the captured screen in not clear
On October 7th, 2008 Anonymous (not verified) says:
The text in the captured screen in not clear, I can not read it.
Advise: use black background and white foreground, do not use colors.
Shell Script (Text on screen)
On October 8th, 2008 Lazydj98 (not verified) says:
I recreated the script Elliot used. It's not exactly the same, but has the same functionality
#!/bin/sh
#locate iptables (this will cause issues if the command fails, but is flexible)
IPT=`which iptables`
#or possibly the following, but on CYGWIN it's not in the right format)
#IPT=`whereis iptables`
#flush iptables
$IPT -F
#-----------------------
# POLICIES
#-----------------------
#
# DEFAULT POLICIES
#-----------------------
#For outbound traffic
$IPT -P OUTPUT ACCEPT
#For inbound traffic
$IPT -P INPUT DROP
#For routed traffic is to drop for now
$IPT -P FORWARD DROP
#
# ALLOWED INBOUND TRAFFIC
#-----------------------------
#ALLOW loopback traffic
$IPT -A INPUT --in-interface lo -j ACCEPT
#ALLOW http
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
#ALLOW ssh
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
#ALLOW Responses
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Fantastic tutorial
On October 4th, 2008 Anonymous (not verified) says:
Well done Elliot. Your timing couldn't have been more perfect. IPTables has always been a pain in the butt to understand. Being able to see and hear someone explain how it works is a great way to learn. I have enjoyed watching the video and will definitely tune in for the next part.
I've just installed a new Linux server at work which acts as our internet gateway via an ADSL router modem. It took me two days to setup the iptable rules and it is finally working (after reading lots of HOWTO docs). Now it will be nice to verify that what I have done is actually correct, and be able to understand all the rules I copied from the HOWTO's. ;-)
As for a transcript.
That would be nice, but I simply did the following. If you use Firefox web browser, simply look in your profile's Cache directory for a 10Mb file. That's the local copy of the video clip you watched. Simply copy it out for archiving purposes and for later enjoyment. :-)
Regards,
- Graeme -
Transcript
On October 3rd, 2008 RandyKramer (not verified) says:
+1
Transcript?
On October 2nd, 2008 Anonymous (not verified) says:
It would be nice if there were a transcript to these videos. A transcript can be read in a short amount of time to gain knowledge, or skimmed to see if the material is relevant, or used for later reference, or even used to capture notes so all eyes can be on the viewing.
Thank you.
Post new comment