Iptables : Simple Rules for a home firewall | Flavio's blog
 

Iptables : Simple Rules for a home firewall

in Ubuntu | | 2 Comments » | Last modified:

firewall

Iptables Linux (including Ubuntu is probably the most widespread) is the program with which you interface with netfilter, which allows to intercept, block packets, in a more small change allows a user to decide which connections should block, and what doors will open to allow that particular traffic (is. open the door 21 to allow a user to connect to the local computer, that runs an ftp server).

In default, if anyone has configured the firewall, iptables block all incoming connections, which means that if someone tries to connect to your computer using that service (ftp, mail) receive a beautiful TIMEOUT.

This is easily checked by typing, in a shell:

sudo iptables-L

the result will be

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

no further details on open ports.
This type of configuration can also be good for most users, but no longer holds good when, as written above, will need to run an ftp server on your computer and allow remote users to access, or want to access your computer remotely using ssh, (Secure shell).

There is therefore need to find a service that you want to make it accessible outside, figure out which port is tcp or udp associated (In default, per is. 21 for ftp, 22 ssh).
Without this, è comodo creare un piccolo script che verrà lanciato automaticamente all’avvio del computer (because otherwise, the next reboot, iptables avra “Forgot” all the rules you set).

An example would be a file of this type:

iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 4682 -j ACCEPT
iptables -A INPUT -p udp --dport 4692 -j ACCEPT
iptables -A INPUT -p tcp --dport 6890:6900 -j ACCEPT
iptables -A INPUT -p udp --dport 6890:6900 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 2077 -j ACCEPT

Where the lines of type iptables-A INPUT p tcp –dport PORT_NUMBER j ACCEPT say to open the tcp port number PORT_NUMBER.
Le righe del tipo iptables -A INPUT -p udp –dport PORT_NUMBER j ACCEPT allow you to open the door PORT_NUMBER udp.
The doors of the type NUMERO_PORTA1:NUMERO_PORTA2 means to open all the doors in the interval between these two ports.

At this point all that remains is to save the script, make it executable (sudo chmod x ScriptName) and copy /etc/init.d
the next reboot, the rules will be loaded in the firewall. If you want to test newly created rules without rebooting, just type

sudo iptables nomedelvostroscript

and verificarle with sudo iptables-L.

Nothing prevents you to use a gui to set the rules graphically, but I think it is necessary to understand the operation of a minimum in order to manage your firewall before using a graphical tool.

Update 15 April 2009:

Here is a list of principal services tcp / udp and ports (link)

 

Customers who bought this also ...

2 Comments »

Please accept third-party cookies to be able to comment on the post! The CHANGE COOKIE CHOICES button is located in the footer of the site. / In order to comment this post, please accept the third party cookies! The button CAMBIA LE SCELTE DEI COOKIE is in the footer of the website.