Configuration
Previous  Top  Next

IPTABLES should already be installed so we only need to setup an Iptables script to activate our rules. The following rules will be allowed:

·Incoming connections to port 80    (http)  
·Incoming connections to port 22    (ssh)  
·Incoming connections to port 21/20 (ftp)  
·Any outgoing connection  
·ICMP will be allowed  

Below is the firewall script, saved as /etc/init.d/firewall:

# Firewall script by ingmar@02/06/2002

# * Remote hosts can access: FTP SSH HTTP
# * Local host can connect:  to everywhere
# * ICMP is enabled

# Source function library
. /etc/rc.d/init.d/functions

# Path to IPTABLES
IPTABLES=/sbin/iptables

case "$1" in

start)
   echo -n "Activating Firewall: "
   # Load the ftp module (for passive connections?)
   modprobe ip_conntrack_ftp

   # Flush Input & Output chain -> empty
   $IPTABLES -F INPUT
   $IPTABLES -F OUTPUT
   $IPTABLES -F FORWARD

   # Disallow everything we don't allow later
   $IPTABLES -P INPUT DROP
   $IPTABLES -P OUTPUT DROP
   $IPTABLES -P FORWARD DROP

   # Accept ICMP packets
   $IPTABLES -A INPUT -p ICMP -j ACCEPT

   # Accept packets to port 22 & 80 & SAMBA
   $IPTABLES -A INPUT -p TCP --dport 22 -j ACCEPT
   $IPTABLES -A INPUT -p TCP --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p TCP --dport 137:139 -j ACCEPT  
$IPTABLES -A INPUT -p UDP --dport 137:139 -j ACCEPT  
 
   # Accept incoming packets that are related
   # If this's skipped we won't receive replies from our own packets
   $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


   # Finally allow all packets from this host to go anywhere
   $IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
   $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      
   # This is needed for Apache and SWAT to connect to local ports
   $IPTABLES -A INPUT -i lo -j ACCEPT
   echo_success
   echo
   ;;
stop)
   echo -n "Deactivating Firewall: "

   # Flush Input & Output chain -> empty
   $IPTABLES -F INPUT
   $IPTABLES -F OUTPUT

   # Allow all packets
   $IPTABLES -P INPUT ACCEPT
   $IPTABLES -P OUTPUT ACCEPT

   echo_success
   echo
   ;;
status)
   # Display Filter
   $IPTABLES --list
   ;;
*)
   echo "Usage $0 {start|stop|status}"
   exit 1
esac

exit 0

A port scan should now only list ports 22 and 80 and 137-139 as being accessible.

The current version of this script always reports OK when one starts or stops the script. If the script should fail however IPTABLES would display error messages. A future version might „fix" this problem – it is very unlikely for this script to fail once it has been tested however.