Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


HOWTO: Set-up a restrictive firewall using iptables (RTFM-friendly)

  • Please log in to reply
4 replies to this topic

#1 NickAu


    Bleepin' Fish Doctor

  • Moderator
  • 13,845 posts
  • Gender:Male
  • Location: Australia
  • Local time:12:15 AM

Posted 01 April 2014 - 07:45 PM

Thank's to Xentime @ Unbuntu forums for this.



I am setting up (trying ) this.

When I test or try and modify anything on Linux that I am not familiar with I always use a virtual machine first, Then if I am happy with the result I do it on my actual machine.


This HOWTO is starting point for those who want a restrictive firewall for incoming, forwarded, and outgoing traffic.

Here is an iptables configuration script (shell script) that I use as a starting point for all my machines. It drops all incoming and forwarded connections, while allowing outgoing connections on the FTP (21), SSH (22), HTTP (80), HTTPS (443), and DNS (53) ports. This allows you to perform software updates, browse the web, and establish remote connections to SSH servers running on their default port, while restricting all other traffic.

1. Open the Text Editor application (gedit) and paste the following into a new document:

# Flush iptables
iptables -F

# Set iptables rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT # FTP port
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT # HTTP port
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT # HTTPS port
iptables -A OUTPUT -p tcp --dport 1024 -j ACCEPT # SOCKS port
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT # DNS port

# Set iptables default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Save rule-set to file
sh -c "iptables-save > /etc/iptables.rules"
sh -c "iptables-save > /etc/iptables.downrules"

# Add the following to "/etc/network/interfaces":
# pre-up iptables-restore < /etc/iptables.rules
# post-down iptables-restore < /etc/iptables.downrules

exit 0
2. Save the file into your Home folder and name it "iptables.sh" (without the quotes).

3. Open up the Terminal application. (Ctrl+Alt+T)

4. Set the file permissions for "iptables.sh" to execute:
chmod +x iptables.sh
5. Run the shell script as root:
sudo ./iptables.sh
6. Open up the network interfaces configuration file for editing as root:
sudo nano /etc/network/interfaces
7. Add the following to the configuration file so the rules load on start-up:
pre-up iptables-restore < /etc/iptables.rules
post-down iptables-restore < /etc/iptables.downrules
8. Save the file and exit the text editor. (Ctrl+O <Enter> then Ctrl+X)

9. Restart/Reboot your computer.

10. Open up the Terminal application. (Ctrl+Alt+T)

11. Check iptables to ensure the rules have been applied:
sudo iptables -vL
Steps 6 and 7 are noted in shorthand within the shell script to aid with configuration when moving from one machine to another.

Allow/Drop Outgoing Connections
There are times you may want to use an application that will create outgoing connections not allowed by the rules in place for a limited time but do not want to poke holes in your firewall indefinitely (i.e. computer games). This is best achieved by simply allowing all outgoing connections and then restricting them when you are done. This is achieved by doing the following.

1. Open up the Terminal application. (Ctrl+Alt+T)

2-A. Allow all outgoing connections:
sudo iptables -P OUTPUT ACCEPT

2-B. Drop all outgoing connections (minus those that have ACCEPT rules):
sudo iptables -P OUTPUT DROP
3. Check iptables to ensure the rules have been applied:
sudo iptables -vL

Edited by NickAu1, 01 April 2014 - 08:29 PM.

BC AdBot (Login to Remove)


#2 TsVk!


    penguin farmer

  • Members
  • 6,239 posts
  • Gender:Male
  • Location:The Antipodes
  • Local time:11:15 PM

Posted 02 April 2014 - 05:35 AM

let us know how it worked for you.


the truth is in the details.

#3 NickAu


    Bleepin' Fish Doctor

  • Topic Starter

  • Moderator
  • 13,845 posts
  • Gender:Male
  • Location: Australia
  • Local time:12:15 AM

Posted 04 April 2014 - 12:51 AM

So far so good. I think. No problems with my surfing habits.  I am running unbuntu on a spare laptop and if its no good I can always format, Yes I know what a Virtual machine is.

#4 cat1092


    Bleeping Cat

  • BC Advisor
  • 7,018 posts
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:15 AM

Posted 04 April 2014 - 11:24 PM


Yes I know what a Virtual machine is

So do I, at one time, I had more virtual than physical machines, especially when I was a TechNet member. At one time, it was close to 20, counting a few Linux ones.


But I burned out on that crap. Today, I use only a couple of VM's, and when a new version of Ubuntu/Mint is released, that's tried out on VirtualBox first, to get a feel for everything.


As to NoScript, this extension has been out there for years. Many in the Linux community knows of it because most Linux based OS's uses Firefox as default browser. It's recommended for security. Back when Firefox was on a roll, many users knew of these things, but when Google Chrome was released, quickly jumping to the #2 most used browser, many has jumped on that wagon & not took a second look at Mozilla's efforts with Firefox.


Firefox with NoScript, AdBlock Plus & Better Privacy, is a really secure browser, if kept updated. Better Privacy purges the system of those hard to delete LSO cookies. increasing security further. It is my default one both on Linux & Windows, and has worked well for me since beginning use with the 3.5RC version back in early summer 2009. This was back when I was running XP Pro, as well as W2K Pro & IE8 crippled my XP OS. So I was looking at other options & Firefox was the most recommended 3rd party browser & have never looked back to IE since for daily use.


Google Chrome & Opera has their variations of a NoScript type addon, but it's not the same.



Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 

#5 technonymous


  • Members
  • 2,520 posts
  • Gender:Male
  • Local time:05:15 AM

Posted 26 April 2014 - 11:17 PM

You do know that ftp is not secure and passwords are sent plain text over the internet right? Unless it's ftp/ssl. Since SSH and SFTP is already part of the system and both use default port 22, then why open ftp 21?

Edited by technonymous, 26 April 2014 - 11:32 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users