Menü schliessen
Created: February 28th 2023
Last updated: February 28th 2023
Categories: Linux
Author: LEXO

Linux IPTables :: Create a basic secure iptables ruleset for your server which is automatically applied upon system boot (systemd)

Tags:  firewall,  iptables,  Linux,  script,  Security
Donation Section: Background
Monero Badge: QR-Code
Monero Badge: Logo Icon Donate with Monero Badge: Logo Text
82uymVXLkvVbB4c4JpTd1tYm1yj1cKPKR2wqmw3XF8YXKTmY7JrTriP4pVwp2EJYBnCFdXhLq4zfFA6ic7VAWCFX5wfQbCC

This small howto explains how to create a simple IPTables base script which will be executed during system bootup.

1. Create an iptables shell script

nano /opt/iptables-base.sh

The content of the file is a list of IPTables rules you want to have applied on your system. We are giving some of the most common examples here. Please consider changing the name of the interface

#!/bin/sh
IFACE=eth0

## First flush all iptables rules (prepare a clean IPTables rule book)
iptables -F

## Allow basic connection to this system
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

## Allow PING (ICMP) from everywhere
iptables -I INPUT -i ${IFACE} -p icmp --icmp-type 8 -j ACCEPT

## Allow UDP Port 23 (DNS) globally on this system
iptables -I INPUT -i ${IFACE} -p udp --dport 23 -j ACCEPT

## Allow SSH (Port 22), SMTP (Port25), Web SSL (Port 443) only from specific IP networks
iptables -A INPUT -i ${IFACE} -p tcp -m multiport -s 178.31.101.0/21,181.93.82.122/27 --dports 22,25,443 -j ACCEPT

## Globally enable access to TCP port 2222 and 4444 for some reason
iptables -I INPUT -i ${IFACE} -p tcp -m multiport --dports 2222,4444 -j ACCEPT

## Set the default policy of the INPUT chain to DROP - this will cause all incoming connections to be dropped for which there's no specific exclude above
iptables -A INPUT -i ${IFACE} -j DROP

Now save and close the file

(CTRL + X and enter 'y' to confirm saving)

Set execution permission on that file:

chmod +x /opt/iptables-base.sh

2. Create a systemd file which will execute the above script on boot time

nano /etc/systemd/system/iptables-base.service
[Unit]
Description=IPTables base configuration to be set on boot time
After=network.target

[Service]
Type=simple
Restart=no
ExecStart=/opt/scripts/iptables-base.sh

[Install]
WantedBy=multi-user.target

3. Enable the service

systemctl enable iptables-base.service

4. Reload the systemd daemon

systemctl daemon-reload

5. Test if it works

Execute the iptables-base.sh file like this:

/opt/iptables-base.sh

Attention! If you are remotely accessing your system via SSH, there is a risk that you may lock yourself out. Before executing the script, please ensure that you have alternate means of accessing the system in case something goes wrong and you are unable to use SSH.

Check if the rules are written to the IPTables configuration with this command:

iptables -L -n

This should return an output like this:

Chain INPUT (policy ACCEPT)
target   prot   opt source            destination
ACCEPT   tcp   --   0.0.0.0/0         0.0.0.0/0    multiport dports 2222,4444
ACCEPT   udp   --   0.0.0.0/0         0.0.0.0/0    udp dpt:23
ACCEPT   icmp  --   0.0.0.0/0         0.0.0.0/0    icmptype 8
ACCEPT   all   --   0.0.0.0/0         0.0.0.0/0    state RELATED,ESTABLISHED
ACCEPT   tcp   --   178.31.101.0/21   0.0.0.0/0    multiport dports 22,25,443
ACCEPT   tcp   --   181.93.82.122/27  0.0.0.0/0    multiport dports 22,25,443
DROP     all   --   0.0.0.0/0         0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination