Multi-homed iptables firewall

The following iptables firewall is suited for a dual-homed firewall. In this example, eth1 is the internal LAN interface and eth0 is the public Internet interface. All outbound and return traffic is allowed from both the internal LAN and the firewall itself. All incoming traffic originating from the Internet is dropped.

Note: for remote administration via ssh, I typically add a rule such as:

# Allow incoming ssh from work
/sbin/iptables -A INPUT -i eth0 -p tcp -s work_IP_address/32 --dport 22 -m state --state NEW -j ACCEPT

-----

#!/bin/sh

# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done

# Enable TCP SYN cookie protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done

# Don't send Redirect messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done

# Drop spoofed packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

# Log packets with impossible addresses
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done

# Flush existing rules on INPUT, OUTPUT, FORWARD chains and nat table
/sbin/iptables --flush
/sbin/iptables -t nat --flush

# Unlimited traffic on the loopback interface
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Set the default policy to drop
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP
/sbin/iptables -t nat --policy PREROUTING ACCEPT
/sbin/iptables -t nat --policy OUTPUT ACCEPT
/sbin/iptables -t nat --policy POSTROUTING ACCEPT

# Drop all invalid TCP state combinations
# First list of TCP state flags lists the bits to be tested
# Second list of TCP state flags lists the bits that must be set to match test

# All of the bits are cleared
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# SYN and FIN are both set
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# SYN and RST are both set
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# FIN and RST are both set
/sbin/iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

# FIN is set without the expected accompanying ACK
/sbin/iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP

# PSH is set without the expected accompanying ACK
/sbin/iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP

# URG is set without the expected accompanying ACK
/sbin/iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

# Masquerade everything out eth0; used for dynamic IPs
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Allow all outbound connections from LAN (eth1) to Internet (eth0)
# Allow only return traffic from those connections
/sbin/iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow unlimited outbound and return traffic from firewall
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Activate IP forwarding
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# Save iptables rules
/sbin/service iptables save

Back to brandonhutchinson.com.

Last modified: 09/23/2002