Here’s a little iptables
primer, because the syntax is bizarre and I always forget it.
This is my /etc/iptables/iptables.rules
on this server (Arch Linux):
# Comments start with a #, but must not share a line with a command.
*filter
# Not sure what *filter is for.
:INPUT DROP [0:0]
# The default policy for all incoming connections is to DROP (refuse them)
:FORWARD DROP [0:0]
# Likewise for all forwarded connections (is this even used?)
:OUTPUT ACCEPT [0:0]
# Outgoing connections are all accepted. If I was really paranoid I might change this.
# All localhost interface traffic is OK
-A INPUT -i lo -j ACCEPT
# All ICMP (management protocol, for ping and stuff I think) is OK
-A INPUT -p icmp -j ACCEPT
# I think this says "Don't boot me off if I've already got a connection". Not sure though.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# The next 8 commands just say accept all incoming TCP traffic on these ports
# (iptables knows a few keywords like http and https,
# but I could have just as well have said 80 and 443)
-A INPUT -p tcp --dport ssh -j ACCEPT
-A INPUT -p tcp --dport http -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp --dport https -j ACCEPT
# 110=pop3 143=imap 585=secure-imap 995=secure-pop3
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 585 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
# Yeah not really sure what these were so I just commented them out.
#-A INPUT -p tcp -j REJECT --reject-with tcp-reset
#-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
#-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
The file in itself doesn’t really do anything, but the rc.d
script to start it reads it in with iptables-restore
.
A few other useful commands:
sudo iptables -L -v # print out the current rules
sudo /etc/rc.d/iptables restart # restart iptables
If you want to autoload some config settings, put them (the output of iptables-save
) in some file, /etc/firewall.conf
or whatever, and then in /etc/network/if-up.d/iptables
(apparently this is like an optional-init.d-addendum for upstart, keyed off the filename, as far as I can tell), put this:
#!/bin/sh
iptables-restore < /etc/firewall.conf
Then chmod +x
the file.