IPTABLES

All all outbound traffic from established connection (outbound new connections are not allowed)

# iptables -A OUTPUT -p tcp -o eth0 -m state --state ESTABLISHED, RELATED -j ACCEPT

Allow incoming to port 22 and port 80

# iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state \ --state NEW -j ACCEPT

# iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 -m state \ --state NEW -j ACCEPT

Allowing firewall to browse the internet

# iptables -A OUTPUT -p tcp -j ACCEPT -o eth0 -m state \ --state NEW,ESTABLISHED,RELATED -m multiport --dport 80,443 \ --sport 1024:65535

Allow previously esablished connections

# iptables -A INPUT -p tcp -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

One could also allow all outbound tcp traffic

# iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT -m state \ --state NEW,ESTABLISHED,RELATED

We’ll start by doing some setup items. First we’ll define your system’s IP address as a hostname.

#!/usr/bin/env bash

YOUR_HOSTNAME=123.456.789.012

Then we’ll start by flushing any existing rules.

/sbin/iptables -F

-F stands for flush.

And we’ll allow traffic for the local interface.

/sbin/iptables -A INPUT -i lo -j ACCEPT

-A stands for “append”. -i indicates the interface. -j means jump to a given chain.

And then we’ll allow traffic that’s part of an established connection. netfilter is a stateful engine, afterall.

/sbin/iptables -A INPUT -m state --state

ESTABLISHED,RELATED -j ACCEPT

Keep these all on one line in your real config. This broken for display purposes only. -m stands for “match”. -state matches the following states.

Management rules

In a large corporate environment it’s extremely critical that you set up your management rules so that 1) you can actually get to your firewalls to administer them, and 2) that you limit access to only the people who need it.

In our scenario, we’re going to have just one rule of this type: in this case a rule for SSH.

/sbin/iptables -A INPUT -d $YOUR_HOSTNAME -p tcp --dport 2222

-j ACCEPT

-d stands for destination. -p stands for protocol. –dport stands for destination port.

Ok, now we’ll be able to SSH into the box on port 2222 (yes, it’s better to use an alternate port for remote access).

Access rules

Now let’s do a regular rule. In a larger environment it’d be much different than a management rule because the destination wouldn’t be the firewall itself, but in this case we’re actually making a firewall to protect a server or workstation, so the rules look the same.

Let’s open a port for an HTTP server.

/sbin/iptables -A INPUT -d $YOUR_HOSTNAME -p tcp --dport 80

-j ACCEPT

P

erfect.

The “default deny” rule

So we’ve got two ports allowed in here: web and ssh. Now we want to make it so that any other packets that hit this box get dropped on the floor.

/sbin/iptables -A INPUT -j DROP