In this post I will describe how to setup a simple firewall script for Debian Etch. The first thing to do is to install the prerequisites. The firewall tools in Debian is iptables, therefore we need to install iptables
apt-get install iptables
When this is done we are now set for setting up a simple firewall. The first thing to do is to flush all old rules. This is done by the code below.
# Disable routing before new rules are applied echo 0 > /proc/sys/net/ipv4/ip_forward # Rules are flushed and policies are set /sbin/iptables -t nat -F /sbin/iptables -F /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P INPUT DROP
The first thing we do is to disable all traffic through the interface until the script is ended and all firewall rules are applied. The next thing we do is that we flush all existing rules from previous firewall firewall scripts etc. Third we set a standard policy. Here we set accept all outgoing traffic, and drop all ingoing traffic.
Now we are ready to apply exceptions to the standard policy.
First we accept all from loopback interface. This is necessary in order to connect to own local ports.
# allow anything over loopback (to/from localhost only) /sbin/iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT /sbin/iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT #/sbin/iptables -A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT
Now we need to accept all packets from existing connections. This could be, a connection that we have initiated.
# allow anything related to an exising connection
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
#iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED,NEW
Now we setup logging of dropped packets. These logs can be found i /var/log/messages
# /sbin/iptables -A FORWARD -m state --state NEW -j LOG --log-prefix IPTABLE_NEW --log-level 4
If we want to be able to SSH into the server we need to make an exception rule on port 22
iptables -A INPUT -p tcp --destination-port 22 -m state --state RELATED,NEW,ESTABLISHED -j ACCEPT
This can be repeated for all other exceptions.
If I only want to accept SSH connections from a specific IP, I can use the following.
iptables -A INPUT -p tcp --destination-port 22 -s 1.2.3.4 -m state --state RELATED,NEW,ESTABLISHED -j ACCEPT
If we want to open a whole range of ports we use the followning.
iptables -A INPUT -p tcp --destination-port 6891:6901 -m state --state RELATED,NEW,ESTABLISHED -j ACCEPT
If we only want root to be able to use FTP from the server to a specific IP, we can use the followning.
iptables -A OUTPUT -p tcp --dport 22 -d 1.2.3.4 -m owner ! --uid-owner root -j DROP
If we want to disable FTP to all servers, we can omit the -d 1.2.3.4
Now we want to stop broadcast pollotion
#No broadcast pollotion iptables -A INPUT -i eth0 -p ALL -j DROP -s 10.0.0.255 iptables -A INPUT -i eth0 -p ALL -j DROP -d 10.0.0.255 iptables -A INPUT -i eth0 -p ALL -j DROP -s 255.255.255.255 iptables -A INPUT -i eth0 -p ALL -j DROP -d 255.255.255.255
Finally we send all input to the log.
iptables -A INPUT -j LOG
The last thing to do, is that we enable the routing, that we disabled in the start of the script.
# Forwarding is started. echo 1 > /proc/sys/net/ipv4/ip_forward