You are here

HomeBlogsIvan Radovanovic's blog

Basic linux firewall configuration (iptables)

Ivan Radovanovic's picture
5. April 2013 - 13:20 — Ivan Radovanovic

Linux firewall divides all traffic into 3 groups

  • INPUT
  • OUTPUT
  • FORWARD

First two are obvious, third group I guess also covers nat and similar features.

Traffic is controlled by adding accept or reject rules to appropriate group - compared to OpenBSD's pf iptables seems to be missing tables (weird choice for name, he he), all rules seem to behave like quick rules and you need explicitly to take care of connection state.

Sample configuration (what would be common configuration for web server - allow icmp, allow http and https from outside, don't filter things on loopback):
#!/bin/sh
/sbin/iptables -F
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport http -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport https -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -j DROP

Tags: 
linux
firewall
iptables
Powered by Drupal