This document describes a small portion of iptables and how to setup a basic firewall using iptables. There are many huge books on iptables so I cannot go into any sort of detail here. If you want to create a more advanced firewall, then I suggest installing shorewall and reading the documentation http://www.shorewall.net/Introduction.html about setting it up. I generally use shorewall on my systems and configure them using http://www.webmin.com/.

Iptables Command Line[-][--][++]

Saving Changes[-][--][++]

Changes to iptables are not saved until you manually save them. This gives a nice testing environment.

See http://tuxtraining.com/2008/05/15/iptables-how-to-save-and-restore-rules-at-boot-shutdown/
for documentation on how to save your rules on boot.

Note I save my iptables commands (not the same file from iptables-save) in a script.
The easiest way to setup iptable rules, is to create a script file with your firewall settings so you don't \
have to re-type them if you mess something up. I use /home/xxx/bin/iptables-rules.sh (see bottom of this doc \
for my example of this file).

So execute your script (mine is /home/xxx/bin/iptables-rules.sh) or manually add/remove rules \
until you like what you see. Then export your rules to /etc/iptables.rules with

iptables-save > /etc/iptables.rules

Now, modify the /etc/network/interfaces config file to apply the rules automatically, add this below \
your interface (usually eth0)

pre-up iptables-restore < /etc/iptables.rules

You can also prepare a set of down rules and apply them automatically when you shut the interface off. \
To do this, add the following line in /etc/network/interfaces below the eth0 and pre-up command you just created.

post-down iptables-save -c > /etc/iptables.rules

Here is my config file (starting at eth0)

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp
pre-up iptables-restore < /etc/iptables.rules

Now reboot, and check with iptables -L, the rules should be there.

Adding a TCP or UDP port[-][--][++]

Note that my CHAIN name for INPUT in fedora is RH-Firewall-1-INPUT

Open TCP port 80 in the RH-Firewall-1-INPUT chain for any source/destination \
and insert this rule above line-number 9

iptables -I RH-Firewall-1-INPUT 9 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT

or port 80 for UDP

iptables -I RH-Firewall-1-INPUT 9 -i eth0 -p udp -m upd --dport 80 -j ACCEPT

To append to the chain (add to bottom), replace the first -I with -A and remove the 9 (line) number.

iptables -A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT

Append is not usually good because the very last line is a REJECT all other ports not listed above it.

Dropping a rule (by number)[-][--][++]

Use the iptables -L --line-numbers to see what line to drop

iptables -D RH-Firewall-1-INPUT 5

This will drop rule 5 from the RH-Firewall-1-INPUT chain

Misc Commands[-][--][++]

List all rules

iptables -L

List all rules with line numbers

iptables -L --line-numbers

Settings up a new Firewall[-][--][++]

A Great article starting iptables from scratch, very nice
http://www.howtoforge.com/linux_iptables_sarge

NOTE, the server this firewall is on will be 192.168.1.1 for examples

Allow all traffic[-][--][++]

# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Rejects[-][--][++]

Next we build individual rejects first (if any)
These are examples if you want to reject traffic

Reject an Individual by IP address

# iptables -A INPUT -s 172.34.5.8 -j DROP

Reject
spammers

# iptables -A INPUT -s mail.spammer.org -d 192.168.1.1 -p tcp --dport 25 -j REJECT

Accepts[-][--][++]

These are examples, add what you want for your server

apache http
# iptables -A INPUT -d 192.168.1.1 -p tcp --dport 80 -j ACCEPT

all traffic from localhost
# iptables -A INPUT -d 192.168.1.1 -s 127.0.0.1 -j ACCEPT

ICMP/ping
# iptables -A INPUT -d 192.168.1.1 -p icmp -j ACCEPT

SSH
# iptables -A INPUT -d 192.168.1.1 -p tcp --dport 22 -j ACCEPT

MYSQL (Allow Remote Access from a Particular IP):
# iptables -A INPUT -s 172.50.3.45 -d 192.168.1.1 -p tcp --dport 3306 -j ACCEPT

Global Rejects[-][--][++]

Reject everything else to server

# iptables -A INPUT -d 192.168.1.1 -j REJECT

Or, reject everything else coming through to any IP: (I use this one)

# iptables -A INPUT -j REJECT
# iptables -A FORWARD -j REJECT

Now, make sure you save your rules or they will be lost on reboot

iptables-rules.sh[-][--][++]

#!/bin/sh

###Show Previous iptables
iptables -L --line-numbers

###Clear all 
iptables --flush

###Add the 3 way handshake, the traffic is now ESTABLISHED
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

###Individual Rejects First
##Reject any traffic by certian IP
#iptables -A INPUT -s 172.34.5.8 -j DROP

##Reject any spammers
#iptables -A INPUT -s mail.spammer.org -p tcp --dport 25 -j REJECT

###Open it UP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 10051 -j ACCEPT
iptables -A INPUT -p tcp --dport 10050 -j ACCEPT

iptables -A FORWARD -p tcp --dport 10051 -j ACCEPT
iptables -A FORWARD -p tcp --dport 10050 -j ACCEPT

###Reject everything else
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT

###Show new iptables
iptables -L --line-numbers

###To save permanent
iptables-save

Resources[-][--][++]