This tutorial shows a basic configuration of iptables. The script can be modified further to any needs.
1. Create a script
cd /home/username vi myfirewall.sh
#!/bin/bash # # iptables example configuration script # # Flush all current rules from iptables # /sbin/iptables -F # # Set default policies for INPUT, FORWARD and OUTPUT chains # /sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT ACCEPT # # Set access for localhost # /sbin/iptables -A INPUT -i lo -j ACCEPT # # Accept packets belonging to established and related connections # /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # # Save settings # /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT /sbin/service iptables save # # List rules # /sbin/iptables -L -v
2. Make sure it is executable
chmod 755 myfirewall.sh
3. Run the script as root
sudo bash ./myfirewall.sh
4. Modify it and rerun it.
examples
open TCP port 80 (to allow apache webserver to work)
ex: /sbin/iptables -A INPUT -p tcp –dport 80 -j ACCEPT
open UDP port 53 (to allow DNS server to work)
/sbin/iptables -A INPUT -p udp –dport 53 -j ACCEPT
TIP: To find out on which port a service is running look at /etc/services
grep http /etc/services # http://www.iana.org/assignments/port-numbers http 80/tcp www www-http # WorldWideWeb HTTP http 80/udp www www-http # HyperText Transfer Protocol https 443/tcp # MCom https 443/udp # MCom gss-http 488/tcp gss-http 488/udp http-alt 8008/tcp http-alt 8008/udp