My research has discovered various ways of loading iptables at boot. I’m not saying this is the best way, but it works very nicely for me. Note that iptables doesn’t currently work on an AMD 64bit K8 architecture.
I create an iptables ruleset and save it under /root as myfilters. Mine is listed below:
# Required for DNS service
iptables -A INPUT -p udp –sport 53 –dport 53 -j ACCEPT
# Network Time Protocol
iptables -A INPUT -p udp –sport 123 –dport 123 -j ACCEPT
# Allow anything on the Loopback address
iptables -A INPUT -i lo -j ACCEPT
# Allow incoming ICMP (such as Ping)
iptables -A INPUT -p icmp –icmp-type any -j ACCEPT
# Allow established connections
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
# FTP
iptables -A INPUT -s 82.133.6.112/29 -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT
# SSH
iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
# Telnet
iptables -A INPUT -s 82.133.6.112/29 -m state –state NEW -m tcp -p tcp –dport 23 -j ACCEPT
# SMTP
iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 25 -j ACCEPT
# DNS (tcp & udp)
iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 53 -j ACCEPT
iptables -A INPUT -m state –state NEW -m udp -p udp –dport 53 -j ACCEPT
# HTTP
iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
# POP3
#iptables -A INPUT -s 82.133.6.112/29 -m state –state NEW -m tcp -p tcp –dport 110 -j ACCEPT
# NNTP
#iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 119 -j ACCEPT
# Network Time Protocol (tcp & udp)
iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 123 -j ACCEPT
iptables -A INPUT -m state –state NEW -m udp -p udp –dport 123 -j ACCEPT
# HTTPS
iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT
# SMTPS
iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 465 -j ACCEPT
# NNTPS
#iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 563 -j ACCEPT
# Mail Submission
iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 587 -j ACCEPT
iptables -A INPUT -m state –state NEW -m udp -p udp –dport 587 -j ACCEPT
# Additional SMTP port
iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 2525 -j ACCEPT
# Additional NNTPS port
#iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 5563 -j ACCEPT
# Privoxy default port
#iptables -A INPUT -s 82.133.6.112/29 -m state –state NEW -m tcp -p tcp –dport 8118 -j ACCEPT
# Tor default port
iptables -A INPUT -s 82.133.6.112/29 -m state –state NEW -m tcp -p tcp –dport 9050 -j ACCEPT
# Mixminion
#iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 48099 -j ACCEPT
# Enable the following to log messages to the console
# iptables -A INPUT -j LOG –log-level 3
# Reject anything else
iptables -A INPUT -j REJECT –reject-with icmp-host-prohibited
I try and keep the same file across all my machines and then just remark-out the parts I don’t need on a certain box.
Execute this file with:
/root/myfilters
Then check the ruleset with:
iptables -L -n
If all looks good, the ruleset can be saved using:
iptables-save > /etc/iptables
Obviously the filename is just a matter of choice, it could go anywhere.
Lastly, a section is required in the /etc/network/interfaces file to activate this config when the interfaces are enabled. This section should be:
# The following was added by Steve Crook to read in an iptables
# configuration. The /etc/iptables file is created using iptables-save
# which in turn is created from /root/myfilters
pre-up iptables-restore < /etc/iptables
Worth noting that the command: iptables -F can be used to flush all firewall rules. This is much better when testing than using -D and removing them one at a time.