simple statefull firewall with iptables

Posted on March 22, 2012 by spawn

Today, I was very very nervous ! Believe ! I’m ! So, I decided paste this simple script that I did a long time ago, but BELIEVE ! WORK and  is EFFECTIVE !

Brief resume, of why I’m posting this script:
frw~ # iptables -nvL

Chain INPUT (policy ACCEPT 215K packets, 38M bytes)
Chain FORWARD (policy ACCEPT 4848K packets, 3768M bytes)
Chain OUTPUT (policy ACCEPT 78397 packets, 11M bytes)

This is what really import at this moment ! Rules of the INPUT and FORWARD CHAIN, I not will show, because the target of rule is ACCEPT and  the POLICY of CHAIN IS ACCEPT too , thus,  WHY RULES WITH ACCEPT !???? make no sense !

Alright, a simple script …

# cat firewall.sh

#!/bin/bash
# Simple firewall
# http://stuffresearch.tor.hu

ipt=$(which iptables)
# Set yours ifaces here
iface=”eth0″

# Clear all rulez at tables FILTER and NAT ( -F ) and delete chains predeffined by user (-X) and set POLICY ACCEPT

defaccept() {

$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
}

# Default Policy 😉 ( firewall begins here 😉 )

defdrop() {

$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT DROP

# Allowing local traffic at loopback interface ( 127.0.0.1) and doing statefullllllll

$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT

$ipt -A INPUT -i $iface -m state –state RELATED,ESTABLISHED -j ACCEPT
$ipt -A OUTPUT -o $iface -p tcp –dport 53 -j ACCEPT
$ipt -A OUTPUT -o $iface -p udp –dport 53 -j ACCEPT
$ipt -A OUTPUT -o $iface -p tcp –syn -m state –state NEW -j ACCEPT
$ipt -A OUTPUT -o $iface -p icmp –icmp-type echo-request -j ACCEPT
$ipt -A OUTPUT -o $iface -m state –state RELATED,ESTABLISHED -j ACCEPT
}

# Allowing necessary services

dispserv() {

$ipt -A INPUT -i $iface -p tcp -m multiport –dport 22 -j ACCEPT
$ipt -A INPUT -i $iface -p udp -m multiport –dport 5000,8000:9000 -j ACCEPT
}

case $1 in
start) defdrop && dispserv ;;
stop) defaccept ;;
reload) defaccept && defdrop && dispserv ;;
statefull) defaccept && defdrop ;;
test) defdrop && dispserv && sleep 40 && defaccept ;;
*) echo “Uso: “$0″ start, stop, reload, statefull, test” ;;
esac

This firewall is very very simple, and is designed to allow only running services, in this example, asterisk and ssh.
Permit DNS searches and ping ( echo request ) .
Statefull is Accept connections only generated by firewall

Adjust to yours purposes and execute it

#  chmod +x firewall.sh
# ./firewall.sh start

# iptables -nvL

See by you the diference.

 

 

 

 

This entry was posted in Network and tagged , . Bookmark the permalink.