The following is an example iptables firewall that allows incoming
ssh connections from an individual IP address (192.168.1.100), allows
all outbound traffic, and uses stateful inspection.
This iptables firewall is suited for a single-homed firewall with
support for remote ssh administration. For personal use, you may not
want egress (outbound) filtering of network traffic. Of course, a
multi-homed corporate firewall should employ egress filtering as well
as ingress (inbound) filtering.
The script was developed based on information in Robert Ziegler's Linux
Firewalls book. More information on iptables is available at http://www.linux-firewall-tools.com/linux/
#!/bin/sh
# Kernel monitoring support
# More information:
# /usr/src/linux-`uname -r`/Documentation/networking/ip-sysctl.txt
# http://www.linuxgazette.com/book/view/1645
# http://www.spirit.com/Network/net0300.html
# Drop ICMP echo-request messages sent to broadcast or multicast
addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Flush all chains
/sbin/iptables --flush
# Allow unlimited traffic on the
loopback interface
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# Set default policies
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP
# Previously initiated and accepted
exchanges bypass rule checking
# Allow unlimited outbound traffic
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
# Allow incoming TCP port 22 (ssh)
traffic from office
/sbin/iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -m state
--state NEW -j ACCEPT
# Drop all other traffic
/sbin/iptables -A INPUT -j DROP
# Have these rules take effect when
iptables is started
/sbin/service iptables save
That is the end of the original script.
If you want to make a syslog entry of dropped packets, change:
# Drop all other traffic
/sbin/iptables -A INPUT -j DROP
To:
# Create a LOGDROP chain to log and
drop packets
/sbin/iptables -N LOGDROP
/sbin/iptables -A LOGDROP -j LOG
/sbin/iptables -A LOGDROP -j DROP
# Drop all other traffic
/sbin/iptables -A INPUT -j
LOGDROP
You may also want to configure the --log-level
to log dropped packets to a separate file instead of /var/log/messages:
# Drop all other traffic
/sbin/iptables -A INPUT -j
LOGDROP --log-level debug
/etc/syslog.conf change:
# Send iptables LOGDROPs to
/var/log/iptables
kern.=debug
/var/log/iptables
Reload the syslogd service for the change to take effect.
/sbin/service syslog reload
If you do not want to allow incoming ssh, remove:
# Allow port 22 (ssh) TCP
traffic from office
/sbin/iptables -A INPUT -p tcp
-s 192.168.1.100/32 --dport 22 -m state --state NEW -j ACCEPT