Iptables

From MEPIS Documentation Wiki

Iptables is a command line program used to configure the Linux kernel packet filtering ruleset. It is targeted towards system administrators.

Example of firewall configuration using iptables

First you need to make sure that Guarddog doesn't start automatically, you need to remove guarddog entries from runlevels.

#!/bin/sh

#Flush previous iptables rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

#Drop all packages by default, allow only the ones specified explicitly
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#Accept trafic to and from local interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#Allow Established and Related Connections to pass through
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Allow ICMP
iptables -A OUTPUT -p ICMP -j ACCEPT

#Allow DNS
iptables -A OUTPUT -p UDP --dport 53 -j ACCEPT

#Allow SMTP, POP, IMAP, Gmail, Yahoo IM, Freenode, MSN, Gtalk, Ktorrent
iptables -A OUTPUT -p TCP --dport 25 -j ACCEPT
iptables -A OUTPUT -p TCP --dport 110 -j ACCEPT
iptables -A OUTPUT -p TCP --dport 143 -j ACCEPT
iptables -A OUTPUT -p TCP --dport 587 -j ACCEPT
iptables -A OUTPUT -p TCP --dport 5050 -j ACCEPT
iptables -A OUTPUT -p TCP --dport 6667 -j ACCEPT
iptables -A OUTPUT -p TCP --dport 1863 -j ACCEPT
iptables -A OUTPUT -p TCP --dport 5222 -j ACCEPT
iptables -A OUTPUT -p TCP --dport 6881 -j ACCEPT

#Allow browsing HTTP and HTTPS
iptables -A OUTPUT -p TCP --dport 80 -j ACCEPT
iptables -A OUTPUT -p TCP --dport 443 -j ACCEPT

#Allow FTP
iptables -A OUTPUT -p TCP --dport 20 -j ACCEPT
iptables -A OUTPUT -p TCP --dport 21 -j ACCEPT

#Allow Related and Established packets to pass through
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

These commands get reset at every reboot, to make the changes permanent you need to create an executable script, that contains these commands, which will get executed at boot time.

Related Mepis Wiki Links

• Firewall -- Guide to configuring a redundant firewall architecture.
• Guarddog -- Guarddog graphical iptables editing application.
• Firestarter -- Firestarter graphical iptables editing application.
• ufw -- Uncomplicated Firewall (ufw) command line-based iptables editing application.
• Gufw -- Gufw graphical user interface to the command line interface, ufw, for editing iptables.
• Enabling Firewall for P2P Applications -- Firewall configuration for P2P applications such as Gnutella, Frostwire, Limewire, etc.
• Webmin -- Web based system administration tool that contains a module to configure the firewall and routing capabilities of the kernel. Very flexible and powerful but somewhat complex.

Other Related Resources

• Home Website for Netfilter/Iptables -- Detailed advanced documentation for Netfilter and Iptables.
• Homepage for Guarddog -- GUI interface for editing iptables.
• Online Manual for Guarddog -- Detailed advanced documentation for Guarddog.
• Homepage for Firestarter -- User-friendly GUI front-end for editing iptables.
• Online Manual for Firestarter -- Detailed advanced documentation for Firestarter.
• Homepage of Uncomplicated Firewall (ufw) -- A command line interface for editing iptables.
• Wiki for Uncomplicated Firewall (ufw) -- Ubuntu wiki documentation for ufw.
• Homepage of Gufw -- Gufw is a GUI interface...to the command line interface, ufw...for editing iptables.
• Documentation for Gufw -- Ubuntu documentation for Gufw.
• Kmyfirewall -- A KDE-based firewall tool designed to be relatively easy to use while providing full-featured control of iptables. Appears to no longer be in active development.