Howto Set Up iptables (Firewall) rules

Every new Linux user is wondering does he/she need a firewall? Well, you will be able to answer yourself when you know why Firewall is being used. Firewalls are being used for filtering packages, either they are incoming, either they are out going. In this guide linnewbies.com team will show howto set up elementary iptables rules for filtering packages.

First check for the available versions of iptables. We prefer eix than emerge --search "package":

Now you can see that there are two packages available. We need net-firewall/iptables. For Gentoo Linux user that are using portage package management just execute emerge iptables.

kickar@linnewbies ~ $ emerge -pv iptables

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild U ] net-firewall/iptables-1.4.2-r2 [1.4.0-r1] USE="(-extensions%) (-imq%) (-ipv6%*) (-l7filter%) (-static%)" 426 kB

Total: 1 package (1 upgrade), Size of downloads: 426 kB
kickar@linnewbies ~ $

In that particular case we can upgrade our current IPtables version. Upgrading and compiling new packages follow the same procedure. For security purposes please use sudo for executing commands as user with root privilegies. NEVER is good to install package from root terminal:

kickar@linnewbies ~ $ sudo emerge iptables

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:

Calculating dependencies... done!

>>> Verifying ebuild manifests

>>> Emerging (1 of 1) net-firewall/iptables-1.4.2-r2
>>> Downloading 'http://distfiles.gentoo.org/distfiles/iptables-1.4.2.tar.bz2'
--2009-04-11 05:59:43-- http://distfiles.gentoo.org/distfiles/iptables-1.4.2.tar.bz2
Resolving distfiles.gentoo.org... 156.56.247.195, 140.211.166.134, 64.50.238.52, ...
Connecting to distfiles.gentoo.org|156.56.247.195|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 435891 (426K) [application/x-tar]
Saving to: `/usr/portage/distfiles/iptables-1.4.2.tar.bz2'

100%[======================================>] 435,891 286K/s in 1.5s
........................................................

And so on, emerge will take care of everything. Once compiling is done with no errors you are good to start configuring it.

For KDE users you can use net-firewall/kmyfirewall : You can check available versions with eix (eix
):

kickar@linnewbies ~ $ sudo emerge -pv kmyfirewall

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild R ] net-firewall/kmyfirewall-1.1.1 USE="arts -debug -xinerama" 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB
kickar@linnewbies ~ $

In my case I have it installed, so i will continue with setting up rules using Kmyfirewall, for installing it just remove -pv options. After installing it you can go ahead and start it ... configure it as you like. If you mess something up and cut yourself from the net you can always flush the current rules. The folowing example will show you how to erase current rules :

kickar@linnewbies ~ $ sudo iptables-save

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:
# Generated by iptables-save v1.4.2 on Sat Apr 11 12:29:28 2009
*mangle
:PREROUTING ACCEPT [1727126:1372540668]
:INPUT ACCEPT [1726657:1372386071]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1751099:407282310]
:POSTROUTING ACCEPT [1751099:407282310]
COMMIT
# Completed on Sat Apr 11 12:29:28 2009
# Generated by iptables-save v1.4.2 on Sat Apr 11 12:29:28 2009
*nat
:PREROUTING ACCEPT [80473:8604252]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [124038:9263571]
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Sat Apr 11 12:29:29 2009
# Generated by iptables-save v1.4.2 on Sat Apr 11 12:29:29 2009
*filter
:INPUT DROP [120985:9549648]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1751099:407282310]
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec -j ACCEPT
-A INPUT -s 127.0.0.1/32 -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j LOG --log-prefix "Rule HTTP_tcp: "
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m limit --limit 5/sec -j LOG --log-prefix "KMF: "
COMMIT
# Completed on Sat Apr 11 12:29:29 2009
kickar@linnewbies ~ $
These are example rules for a web server (If you run a webserver We suggest to get a dedicated firewall machine like Smoothwall). To erase the we can use the commands iptables -F and iptables -t nat -F :

kickar@linnewbies ~ $ sudo iptables -F && iptables -t nat -F

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:
kickar@linnewbies ~ $

There is no output here. That means that the current rules are flushed. Of course, you can do all that from Kmyfirewall, but remember Always is better to work with terminal!!!

For GNOME users you can use firestarter, but unfortunately at that moment it is not in pogtage, so you will need to install it from source. Click Here

In the latest Ubuntu Linux iptables is installed by default. All you need to do is to set up rules for it. On a freshly installed system you will have no rules and typing iptables -L will show you something like this :

kickar@ubuntutestbox ~ $ sudo iptables -L

Password:
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

kickar@ubuntutestbox ~ $

GNOME :
In Ubuntu you have to enable "universe" repository in the /etc/apt/sources.list file or in synaptic under Settings->Repositories. Having enabled the repository, the procedure is the same as in Debian.

kickar@ubuntutestbox ~ $sudo apt-get install firestarter
...........
kickar@ubuntutestbox ~ $

And you are all set with Firestarter. Now configuring rules is easy.

KDE:
For KDE users you can use Guarddog. Installing is easy just type the following :

kickar@ubuntutestbox ~ $sudo aptitude install guarddog

Password:
................
kickar@ubuntutestbox ~ $

And now run Guarddog in terminal (you can run it from X but using terminal is always better):

kickar@ubuntutestbox ~ $ gtsudo guarddog
.................................

And you are all set and ready for a new adventures configuring iptables rules. Above We showed how example rules should look.