Skip to content

How to configure firewall on linux

Below I will go over three easy steps on Configuring IPTables Firewall on Linux Environment. The following configuration was tested on 64 Bit Debian.

The firewall itself consists of two configuration files located in the following location.

/etc/default/firewall-rules consist the firewalls rules which are editable by the user.
/etc/init.d/firewall is the script for start|stop|restart|status of the firewall.

Below you can see Sample Firewall Rules. This script resides in /etc/default/firewall-rules

Please use this as a template and replace the EXIF, EXTIP and other IP Address / Ranges.

I will NOT be held responsible or liable for any loss or damage you cause to your systems.

Configuring Firewall Rules

#!/bin/bash
# As the default policies, drop all incoming traffic but allow all
# outgoing traffic.  This will allow us to make outgoing connections
### BEGIN INIT INFO
# Provides:          firewall
# Required-Start:    $syslog
# Required-Stop:     $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start firewall at boot time
# Description:       Enable firewall rules with IPTABLES syntax.
### END INIT INFO

EXIF="eth0"
SWITCH="$1"
EXTIP="IP.IP.IP.IP"

fw_start() {
# Clear any existing firewall stuff before we start echo "Flushing rules..."
iptables --flush
iptables -F -t nat

# As the default policies, drop all incoming traffic but allow all
# outgoing traffic.  This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.
echo "Setting default policies"
iptables --policy OUTPUT ACCEPT
iptables --policy INPUT DROP
iptables --policy FORWARD ACCEPT

# Allow all incoming traffic if it is coming from the local loopback device
iptables -A INPUT -i lo -j ACCEPT

# Accept all incoming traffic associated with an established connection, or a "related" connection
iptables -A INPUT -i $EXIF -m state --state ESTABLISHED,RELATED -j ACCEPT

#Enable masquerade
iptables --table nat -A POSTROUTING -o $EXIF -s 192.168.0.0/16 -j MASQUERADE

echo "Configuring service ports"

#DNS Server
iptables -A INPUT -p udp -i $EXIF --dport 53 -s 8.8.8.8 -j ACCEPT
iptables -A INPUT -p udp -i $EXIF --dport 53 -s 8.8.4.4 -j ACCEPT
iptables -A INPUT -p udp -i $EXIF --dport 53 -s 208.67.222.222 -j ACCEPT
iptables -A INPUT -p udp -i $EXIF --dport 53 -s 208.67.220.220 -j ACCEPT

# Allow icmp input so that people can ping us
# iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT

# Check new packets are SYN packets for syn-flood protection
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Drop fragmented packets
iptables -A INPUT -f -j DROP

# Drop malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Drop null packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Log then drop any packets that are not allowed. You will probably want to turn off the logging
iptables -A INPUT -i vif3.0 -j ACCEPT
iptables -A INPUT -i peth0 -j ACCEPT
iptables -A INPUT -j LOG --log-level 4
iptables -A INPUT -j DROP

echo "Done!"
}

fw_stop(){
echo "Flushing rules..."
#Clear any existing firewall stuff before we start
iptables --flush
iptables -F -t nat
# As the default policies, drop all incoming traffic but allow all
# outgoing traffic.  This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.
echo "Setting default policy to ACCEPT"
iptables --policy OUTPUT ACCEPT
iptables --policy INPUT ACCEPT

echo "Done!"
}

Firewall Control Script

Once the Firewall rules in done. Please make sure to make the script executable by issuing the following command.

chmod +x /etc/default/firewall-rules

Once that is completed, add the following script and reside it in /etc/init.d/firewall.

#!/bin/bash
### BEGIN INIT INFO
# Provides:          firewall
# Required-Start:    $syslog
# Required-Stop:     $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start firewall at boot time
# Description:       Enable firewall rules with IPTABLES syntax.
### END INIT INFO

source /etc/default/firewall-rules

case $SWITCH in
start)
fw_start
;;
stop)
fw_stop
;;
restart)
fw_stop
fw_start
;;
status)
iptables -vnL
;;
*)
echo "USAGE: /etc/init.d/firewall {start|stop|restart|status}"
;;
esac

Please make sure to make the script executable by issuing the following command.

chmod +x /etc/init.d/firewall

Now the firewall can be controlled via the following commands.

/etc/init.d/firewall start|stop|restart|status

Automatic Start on Boot

Finally, this firewall needs to be added to /etc/rc.local so the rules can be applied on boot. This option might vary between distros so I suggest you refer to the appropriate distros manual.

/etc/init.d/firewall start
comments powered by Disqus