Two example iptables firewall rulesets are provided. Both are designed for a single-homed host and utilize the stateful inspection feature of iptables for all connections.
Original simple ruleset
This is the original deny-based ruleset. It’s been around a few years now. The configuration is relatively long, both because it is well commented, and also because many different services have been considered.
The original simple ruleset may be downloaded “here”. if you are just starting out with iptables firewalling, this is the one to use.
A simple accompanying startup script (to be placed somewhere like /etc/rc.d/init.d/iptables) is available “here”. Don’t forget this.
Updated more complex ruleset
This ruleset is deny-based only for inbound connections – in other words all outbound connections are allowed. I made this change because I was forever adding obscure ports for people that run webservers on 88, or 8080 and things like that, and it was forever a problem for my own travelling laptop users running this script, getting into difficulties and then calling for help.
This more advanced ruleset is designed to replace the iptables startup script in /etc/rc.d/init.d rather than having a separate startup script. You will observe that the updated script is coded in a more complicated style to avoid duplication..
The updated ruleset may be downloaded “here”.
Note – If you prefer a deny-based firewall configuration both inbound and outbound, it is trivial to modify the TCPSERVICES_OUTBOUND and UDPSERVICES_OUTBOUND variables and then add specific ports.
Ruleset for a WRT54GL broadband router
See this post for a ruleset to operate on the Linksys-Cisco WRT54GL Wireless-G Broadband Router
Please consider making a donation if you find these scripts useful to you. Thankyou.
Hi James,
i am studying the script above, but find that my VPS hosting does not support “state” module ,
i.e. script like
-m state –state ESTABLISHED -j ACCEPT
will not work ( with error : ‘No chain/target/match by that name’ )
i am thinking of 2 solutions, may i have some hint for them?
1. i’ve downloaded latest version of iptables-1.3.7 , but may i know how to config and build so that i can add more modules ? and is it possible? (some said can’t change iptable once Linux was compiled)
2. i guess ,down to a lower level, state(s) are in the form of flags ( like SYN, ACK. )
would you mind telling us the flags pattern which have same meaning with
a: –state NEW
b: –state ESTABLISHED
c: –state RELATED
Comment by Jason — December 5, 2006 @ 11:16 am
Jason,
Make sure you have a double dash in front of state “–”.
You cannot load additional modules unless you have root access. (generally true for a virtual machine, but not a virtual host)
Stateful packet inspection uses more memory than simple flag inspection, but is far more advanced. For example, a spoofed SYN,ACK packet looks like a response to ACK, therefore a stateless firewall considers that as ESTABLISHED (anything w/ACK is), while the stateful firewall correctly determines that it is not part of any existing connection. There is no way to get true state matching without connection tracking.
Comment by Ben — January 17, 2007 @ 12:48 am
Personal Firewall Shell Script…
Shell script for setting up stateful firewall based on iptables.
Suitable for personal use.
Protects your computer from outside world attacks.
Handling packets based on connection state (ESTABLISHED, RELATED).
OS Linux
Shell script entry:
#!/bin/sh
#…
Trackback by The Most Amazing Web Resources — July 25, 2007 @ 10:22 pm
Hello James,
I tried your simple firewall on my box (Debian).
Everyhing ok. But I have a little problem. I would like to allow inbound ssh traffic,too.
It doesn’t work. Could you help me?
## SSH
# Allow ssh outbound.
iptables -A INPUT -i $IFACE -p tcp –dport 22 -m state –state NEW -j ACCEPT #allow ssh in
iptables -A INPUT -i $IFACE -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
Comment by freeroute — October 9, 2007 @ 1:38 pm