iptables

Added on May 21st, 2012 and marked as firewall security server

Installation

If iptables is not present on the system, install it with:

apt-get install iptables

Startup script

Create a new init-script /etc/init.d/iptables:

#!/bin/bash
#

if [[ $1 == start || $1 == restart ]] ; then
    # Flush current settings and replace them with the default settings.
    sudo /opt/scripts/iptables_rules.sh
elif [[ $1 == status ]] ; then
    # Display the current chains
    sudo iptables --list
else
    # Important: all settings will be flushed.
    # No remote connection will be possible!!
    echo "Flush of iptables will not be executed. This is probably *not* what you want to do!"
    echo "Usage: service iptables {start|restart|status}"
    exit

    # If you are stubborn and really want to shut yourselves
    # out of this server then you can execute the following command:
    # sudo iptables -F
fi

Create a script for the iptables’ rules in /opt/scripts/iptables_rules.sh:

#!/bin/bash

# Flush all chains
iptables -F

# Set default policy for each of the pre-defined chains
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Default rule set

# SSH
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

# Web + SSL
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT

# SMTP + POP3 + IMAP + IMAP4-SSL + IMAPS + SSL-POP
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 585 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 995 -j ACCEPT

iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

echo "New chains loaded"

Change the permissions of the init-script. Only root should be allowed to execute it:

chmod 700 /etc/init.d/iptables
chmod 700 /opt/scripts/iptables_rules.sh

Add the script to the bootup-scripts:

update-rc.d iptables defaults 98 02

Background information