When we talk about firewall in linux we are genrally talking about iptables. Iptables is built in the linux kernel, meaning all linux operative systems does infact have iptables.
Iptables consist of rule sets in order to block or deny packets from a source / destination.
Because some linuxes has a built in 3rdpary layer above iptables, we need to turn off this layer so that the layer isn't in use anymore.
Lets try running this code:
chkconfig iptables off
Now that we have turned iptables service off, lets create the script that adds rulesets to the firewall.
Lets create a new file named /etc/rc.d/init.d/myFirewall.
Here is a samle iptables configuration script, i have commented it so it's easily understandable.
#!/bin/bash ##### CONFIGURATION. # Used to accept local machines only. NETMASK_ACCEPT="192.168.10.0/24" ##### RULES # flush all rules ( clear the rules ) iptables -F # ssh # -A INPUT means its incomming connection # -p udp/tcp , what type of protocol to deal with # -dport what port we are dealing with ( destination port ). # -j ACCEPT or DROP iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Samba # -s the source computers ipadress # -m multiport means that we are dealing with many ports. # --dports commaseparated list of ports to deal with iptables -I INPUT -s $NETMASK_ACCEPT -p tcp -m multiport --dports 135,139,445 -j ACCEPT iptables -I INPUT -s $NETMASK_ACCEPT -p udp -m multiport --dports 137,138 -j ACCEPT # webserver http/https iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Minecraft server. iptables -A INPUT -p tcp --dport 25565 -j ACCEPT # CSS server iptables -A INPUT -p tcp --dport 27015 -j ACCEPT iptables -A INPUT -p tcp --dport 27016 -j ACCEPT iptables -A INPUT -p udp --dport 27015 -j ACCEPT iptables -A INPUT -p udp --dport 27016 -j ACCEPT # Teamspeak3 iptables -A INPUT -i eth0 -p udp --dport 9987 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 30033 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 10011 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 2008 -j ACCEPT ##### DEFAULT RULES # Set default policies for INPUT, FORWARD and OUTPUT chains iptables -P INPUT DROP iptables -P FORWARD DROP # This says that we accept all output packages, eg. you are allowed to browse a website at the linux server. iptables -P OUTPUT ACCEPT # Set access for localhost iptables -A INPUT -i lo -j ACCEPT # Accept packets belonging to established and related connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Save settings /sbin/service iptables save # List rules iptables -L -v
Now we want our linux server to run this script at startup. First check what runlevel your machine is running in:
runlevel
The number that outputs is what you are looking for, now replace rc3 with rcX and run the commands below.
cd /etc/rc.d/rc3.d # Create a symbolic link to the script to run it at startup ln -s S09myFirewall /etc/rc.d/init.d/myFirewall
Well thats it, your firewall is up running. Notice that you can check what rules is active with iptables -L -v