Entropic Thoughts

Basic Firewall Configuration (iptables)

Basic Firewall Configuration (iptables)

As part of my security explorations, I created a super simple firewall configuration that rejects everything other than established connections and explicitly allowed services. Such a configuration is a million times better than no firewall. Here's what I have on one of my servers, for example:

# Accept already established connections
iptables -A INPUT -m state     --state ESTABLISHED -j ACCEPT

# Accept any connection to localhost, since many internal
# services on my machine communicate this way
iptables -A INPUT -d 127.0.0.1                     -j ACCEPT

# Accept new SSH connections, HTTP, HTTPS, and some service
# running on port 28637.
iptables -A INPUT -p tcp       --dport 22          -j ACCEPT
iptables -A INPUT -p tcp       --dport 80          -j ACCEPT
iptables -A INPUT -p tcp       --dport 443         -j ACCEPT
iptables -A INPUT -p tcp       --dport 28637       -j ACCEPT

# Reject everything not listed so far
iptables -A INPUT                                  -j REJECT

After I entered these rules, I ran dpkg-reconfigure iptables-persistent to save them to disk and ensure they are reestablished whenever the machine restarts.

It took 10 minutes to configure this. It's no big deal.

I have services running on this server that should not be accessible from the internet. I'm pretty sure they're all configured to not be accessible from the internet too. But you know, with this firewall, I don't have to be "pretty sure". With the firewall, I can be sure that nothing except the few things I want are accessible from the internet. It's very relieving.