May 12, 2007

Basic firewall for Linux workstation

This shell script is something like good starting point firewall for Linux workstation. Adjust it on your own. Execute it at start of system.

You need kernel 2.4 or 2.6 with netfilter and state matching enabled (default on all distros known to me). Allowed incoming ssh is for sysadmins a _must_. Also ping helps to diag problem. If you need more complex firewall, try to think about blocking also outgoing connection. Also for servers and routers this script is not sufficient.
cat /etc/rc.d/rc.firewall
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# enable incoming ssh and echo requests (ping)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

No comments:

Post a Comment