Home > General > Setting up a firewall in Linux with iptables.

Setting up a firewall in Linux with iptables.

January 7th, 2010 Jimmy Leave a comment Go to comments

Setting up a firewall in Linux is actually surprisingly easy. With Ubuntu you may want to make sure the iptables package is installed. If you run Slackware, the best Distro on Earth, you’ve already got it. Iptables is the heart of most firewall scripts in Linux.

I’m going to assume that you are running a Linux box with two Ethernet cards installed. One controller will be on the public network side, the other on the private network side. For this example we’ll also be using the 192.168.1.* network as the private network and 10.10.8.* as the public (outside) network.

Ok now it’s time to jump into the firewall script. I created a simple bash script called rc.firewall.

#!/bin/sh

###Firewall Kernel Modules and base configuration###
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter

iptables -X
iptables -t nat -X
iptables -t mangle -X
iptables -t filter -X

echo "1" > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/modprobe iptable_nat
/sbin/modprobe iptable_filter
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_LOG

###Now we want to forward all web traffic to a server on the internal network.
iptables  -t nat -A PREROUTING -d 10.10.5.56 -p tcp --dport 80 -j DNAT --to 192.168.1.27:80

##Lets configure a secure web connection too.
iptables  -t nat -A PREROUTING -d 10.10.5.56 -p tcp --dport 443 -j DNAT --to 192.168.1.27:443

##A configuration to a telnet port on another Linux box? Forward public traffic on port 2000 to port 23 on an internal server.
iptables  -t nat -A PREROUTING -d 10.10.5.55 -p tcp --dport 2000 -j DNAT --to 192.168.1.210:23

###We can't forget to route Quake Arena traffic as well.
iptables  -t nat -A PREROUTING -i eth0 -p udp --dport 28960 -j DNAT --to 192.168.1.64:28960

##Now lets BLOCK a bunch of IP addresses. Basically we are blocking the INPUT, OUTPUT and FORWARDING for all data, source and destination for the given IP address of 213.2.31.55.
iptables  -A FORWARD -p tcp -s 213.2.31.55/8  -j DROP
iptables  -A INPUT -p tcp   -s 213.2.31.55/8  -j DROP
iptables  -A OUTPUT -p tcp -s 213.2.31.55/8  -j DROP
iptables  -A FORWARD -p tcp -d 213.2.31.55/8  -j DROP
iptables  -A INPUT -p tcp   -d 213.2.31.55/8  -j DROP
iptables  -A OUTPUT -p tcp -d 213.2.31.55/8  -j DROP

###Route all web based surfing and Internet access through this firewall.
iptables  -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Thats basically it. Save and run the firewall script. You can test by trying to surf from within the network. Make sure the Gateway on your workstation is set to the internet IP address where this script is running.

You can also call a friend or someone to try to access a web server or whatever for testing.

Categories: General Tags: , , ,
Digg: DIGG ME
  1. No comments yet.
  1. No trackbacks yet.