Easy Peasy Linux Firewalling – iptables

A lot of our customers have asked for firewalls, and since this is a common theme, i decided that I would help them out. Of course it can be a mission to learn how to make your own and what to do or not do, and some of the pre-made ones can be confusing.

So i decided to simplify it a little for you all by writing a firewall script. I originally took a script made by somebody else, then totally modified it to suit myself, then modified it again to suit any machine. You *should* be able to literally drop this in place on any server and have it *just work*.

All you need to do is edit the top couple of lines to set what ports you want open or closed. edit the other options (ie ssh port etc). Full instructions as follows...

wget http://b.ri.mu/files/firewall
nano firewall # ctrl+x to exit when finished editing
chmod +x firewall
./firewall

If you are still able to connect to your VPS in all the usual ways then you can add that into your init scripts. To check what ports you have open and want the outside world to connect to you can use

netstat -pant |grep LISTEN

If you are unable to login then you may need to log into the console of your VPS at https://rimuhosting.com/cp/vps/console.jsp

Adding it into the init scripts

cp firewall /etc/init.d/firewall

Debian Based (debian.ubuntu etc)

update-rc.d firewall defaults

Centos/RPM based

chkconfig --add firewall

Note:
Just found a problem with the higher traffic sites that you may notice. Intermittently port 80 will be firewalled and many logs resulting. This is due to the low syn rate and the use of syncookies etc. Just edit the first line to be the second

> ${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit 2/s -j ACCEPT
< ${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit 12/s --limit-burst 24 -j ACCEPT

Patch is

– firewall-original 2010-05-31 22:18:28.000000000 +0000
+++ firewall 2010-05-31 22:19:55.000000000 +0000
@@ -171,7 +171,7 @@ echo -n "Setting up per-proto ACCEPT: "
 
# TCPACCEPT
# SYN Flood Protection
-${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit 2/s -j ACCEPT
+${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit 12/s --limit-burst 24 -j ACCEPT
${IPTABLES} -t filter -A TCPACCEPT -p tcp ! --syn -j ACCEPT
# Log anything that hasn't matched yet and ${DROP} it since we don't know what it is
${IPTABLES} -t filter -A TCPACCEPT -j LOG --log-prefix "Mismatch in TCPACCEPT "
This entry was posted in Featured, Security and tagged , , , , , , , , , , . Bookmark the permalink.

2 Responses to Easy Peasy Linux Firewalling – iptables

  1. I like this one, even though it hasn't been updated since 2003 or so: http://www.sourcefiles.org/Networking/Firewalls/levy.pl

    Then there's the flamewar between whether it's more correct to --reject-with icmp-host-prohibited or --reject-with tcp-reset

  2. Liz says:

    Just found a problem with the higher traffic sites that you may notice. Intermittantly port 80 will be firewalled and many logs resulting. This is due to the low syn rate and the use of syncookies etc. Just edit the first line to be the second

    > ${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit 2/s -j ACCEPT
    < ${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit 12/s --limit-burst 24 -j ACCEPT

    Patch is
    -- firewall-original 2010-05-31 22:18:28.000000000 +0000
    +++ firewall 2010-05-31 22:19:55.000000000 +0000
    @@ -171,7 +171,7 @@ echo -n "Setting up per-proto ACCEPT: "

    # TCPACCEPT
    # SYN Flood Protection
    -${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit 2/s -j ACCEPT
    +${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit 12/s --limit-burst 24 -j ACCEPT
    ${IPTABLES} -t filter -A TCPACCEPT -p tcp ! --syn -j ACCEPT
    # Log anything that hasn't matched yet and ${DROP} it since we don't know what it is
    ${IPTABLES} -t filter -A TCPACCEPT -j LOG --log-prefix "Mismatch in TCPACCEPT "