IPTables Firewall Script and Configuration Files for Linux 2.4.x-2.6.x

Bob Sully (rcs at malibyte dot net)
Latest revisions: 1 August 2010

The following is an example IPTables firewall script and its associated configuration files.

These are my translation, with additions and modifications, of Craig Zeller's (zeller at zdi dot net) excellent IPChains firewall scripts and configuration files (you can find his latest and greatest versions of these on his web site).

These files are a continuing work-in-progress. E-mail me with any suggestions or bug reports.

Notes: The script contains a port-forwarding routine (thanks to Rohan Amin and Erik Wasser), and an improved code block submitted by Chris Fincham allowing access to PPTP servers as a client. Thanks to Jeff Carlson, we have a working DHCP client routine which should work with any commonly-used DHCP client application.
The script now blocks connections from any IP address in IANA's current list of "reserved" blocks.

It now works with private external IP addresses with auto-configuration, while still preventing spoofing.
It also allows client lists for several servers, and allows multiple external servers for POP3, POP3S, IMAP, IMAPS, SMTP and secure SMTP, TLS etc., clients. It now works with Google Mail's TLS server.
It now allows you to run 'net-enabled game boxes (e.g. XBox) in your internal network.

Note to those using dialup services and PPPoE: The configuration file supports PPP over Ethernet - thanks to Sean Mannion for a quick addition to the main configuration file.

One further note: As is, this script is not configured to run on a machine with more than one IP address on the external interface (aliasing). There is a way to make this work which involves placing the entire rule-generating portion of the script inside a loop which reads in the list of aliased IP addresses from a text file. E-mail me for more information.

Some of these have been "genericized", so you'll need to customize them for your own network.

Installation Instructions:

These are somewhat RedHat/Fedora/Mandrake-specific but will work with any distro, with minor modifications to suit the quirks of the one you're running.

Notes for those running Debian or its derivatives (Ubuntu, etc.):

(1) Delete the following lines in firewall.iptables-generic:

# Source function library.
. /etc/rc.d/init.d/functions

(2) As root, mkdir /var/lock/subsys

(3) The command-line switches and output of the utility "ipcalc" differ significantly between the Debian and Fedora/RedHat/Mandrake versions. If you are using DHCP to obtain the IP address of your external interface, you will need to make a few changes:

Replace (in the DHCP section of firewall.iptables-generic):

EXTERNAL_NETWORK=$( ipcalc -n $EXTERNAL_IP $EXT_NETMASK | cut -d\= -f2 )
BROADCAST_NET=$( ipcalc -b $EXTERNAL_IP $EXT_NETMASK | cut -d\= -f2 )


EXTERNAL_NETWORK=$( ipcalc -n $EXTERNAL_IP $EXT_NETMASK | grep Network | sed 's/\/[0-9].*//g' | awk '{print $2}' )
BROADCAST_NET=$( ifconfig $EXTERNAL_INTERFACE | grep 'inet[^6]' | sed 's/[a-zA-Z:]//g' | awk '{print $2}' )

Thanks to Guzmán Brasó for posting this (and saving me the trouble of figuring it out!)

For everyone:

Put firewall.conf.iptables, firewall.dns, firewall.banned, firewall.iana-reserved, and firewall.local.iptables (remove the "-generic" from the file names) in a directory called /etc/firewall. If you're running a distro other than Red Hat/Fedora/Mandrake, you may need to install the functions file as /etc/init.d/functions. Debian users, see the notes above.

Remember that your kernel needs to have iptables enabled, either via modules or hard-compiled in. If you use modules, make sure they're loaded. Most of the time they're pulled in automatically, but should you get odd error messages on startup, you might be missing one.

Modify /etc/firewall/firewall.conf.iptables to suit your network and services. For several servers, you can specify a list of client IP addresses or ranges; to allow all clients, use "any/0"; do the same for client services which may utilize one or more external servers.

If you're running a full DNS, change the entries in firewall.dns (may have as many as you want, one IP per line) to the IPs for your "trusted" DNS's for zone transfers. Use the same format in firewall.banned for any IP's/networks you'd like to completely block access to/from. In firewall.local.iptables, you can specify any rules peculiar to your network which you don't want to put in the main firewall script; use the same iptables syntax as in the main script. There is no practical limit to the number of entries in these files, but remember that each entry generates a rule; you can wind up with some huge rule sets!

If you require port-forwarding, make sure that you create the file /etc/firewall/firewall.nat in the format specified in this file, specifically:

Protocol     Port on firewall's external interface     IP address of internal server     Port on internal server

Be sure also to eliminate any trailing newlines in all of these files; if you don't, you'll get some spurious errors on execution of the firewall script.

As root: put firewall.iptables in /etc/init.d, then run chown root.root and chmod 700 on the file.

Then, if you're running Fedora or Mandriva, run chkconfig to enable it (/sbin/chkconfig --level 345 firewall.iptables on) - you must be in the directory /etc/init.d to do this.


/etc/init.d/firewall.iptables start

and you should be up and running. I suggest leaving the VERBOSE parameter enabled in firewall.conf.iptables; this will give you a listing of what's going on during firewall startup.

Anyone wishing a copy of the handout from my IPTables lecture at the Simi-Conejo Linux Users' Group meeting on 11 August 2001, you can get it here. The associated slide show can be seen here.

Questions? E-mail me at: rcs at malibyte dot net.

Return to malibyte.net home page:   Framed or non-framed versions.

This page accessed Free Web Counter times since 1 May 2002.

Free Hit Counter