Monday, October 1, 2012

Iptable a simple and effective firewall for LINUX based machine

Hi All,

When I first encountered iptables It sacred me a lot.  But believe me it is very simple to configure IPtable. In this post I am talking about how to achieve a host firewall using iptable
1. Install iptables. Usually it comes pre-installed unless and until you deselect it while OS installation.
2. In rpm based linux destro, iptables takes configuration from file /etc/sysconfig/iptables

But this does not restrict you to specify your configurations from other locations(in this scenario you have to run iptables-restore command. may in rc.local file)

3. Go for editing iptables file and put your configuration in filter table under INPUT (deals with packet address to this host machine) chain and OUTPUT (packet originating from this machine)chain

Set default policy DROP for all chain

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

#allow all connection from loopback address for all protocol
-A INPUT  -i lo  -j ACCEPT
-A OUTPUT  -o lo  -j ACCEPT

#accept all icmp packet
-A INPUT -i eth0 -s nw-address -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -i eth0 -s nw-address -p icmp --icmp-type echo-reply   -j ACCEPT
-A OUTPUT -o eth0 -d nw-address -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -o eth0 -d nw-address -p icmp --icmp-type echo-reply   -j ACCEPT

#accept ssh and webserver
-A INPUT -i eth0 -s nw-address  -p tcp  --match multiport --dports 22,80,443 -j ACCEPT
-A OUTPUT -o eth0 -d nw-address -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT



Instead for -j you may put DROP or LOG also


Thanks and regards
lalit patel


No comments:

Post a Comment