Iptables

iptables is a program used to configure and manage the kernels netfilter modules.

Prerequisites
First off, you will need to configure your kernel with netfilter support. If you want to be able to add rules based on IP filtering like black listing IP addresses based on a live feed, do not forget to add IPSet support to your kernel and merge package.

Client
For client computers some basic options need to be activated in the kernel. This configuration does not provide network address translation or any other high sophisticated features. In "Network packet filtering framework" only the tables "filter" are needed with connection tracking support and with REJECT target support.

Router
Activate the following kernel options:

One can setup IPv6 support category to  to be safe and enable almost all Netfilter sub category as the following. Or else, enable only what you need and leave the other modules unset. You certainly would want almost all IP virtual server support core components (scheduler are certainly optional), IP: Netfilter Configuration support, IPv6: Netfilter Configuration for IPv6 support, IP set support for IP filtering based on IP, MAC, ports and then pick up what you need in Core Netfilter Configuration with at least: Netfilter: NFQEUE, LOG; Connection tracking: flow, mark, events, netlink; Netfilter Xtables: NFQEUE, LOG, conn{bytes,mark,state}, state helper with Xtables match: conn{bytes,mark,state}... you get the idea.

Emerge
Install Iptables with the emerge command:

First Run
For some services such as sshguard and fail2ban you need a running firewall. We will save a blank firewall rule set and start the firewall.

IPv4
To start on reboot:

IPv6
To start on reboot:

General Rules
To create firewall rules, we are going to use  or. For IPv6 support to write down a few rules that will be loaded using. (rules file are usually saved to  so that whenever your machine is powered on, the rules set will be loaded automatically with.

Lets begin with a little example:

If you're looking into the perfect firewall, the previous command will set up the policy for INPUT chain and will satisfy the more paranoid. However, the previous will drop every packet that will be sent to the local host. And usually nobody wants that to be a default policy.

That example shows how we will be generating firewall rules.

Stateless firewall
Traditional firewall uses stateless firewall rules like:

That simply opens a local port, to accept HTTP requests (`--dport' switch means destination port, and HTTP servers listen on port 80).

Stateful firewall
In a stateful firewall approach, the previous example will be handled like:

First, we will drop everything like a hot potato, then accept only incoming traffic depending on the state of the state of the packets (stated NEW here), and then establish the connection. Even better, we could place the last line before the second to avoid going into complicated filtering chain for already related and established connections.

This is how a stateful firewall operates to avoid opening unneeded holes and accept in/outbound packets based on the state of the packets.

Generating firewall rules for client
A script as simple as shown here should be sufficient for most client computers. Store it in a save place. You only need it for setting up or for changing the firewall rules. Absolutely no need to run it on boot or shutdown.


 * 1) !/bin/bash

iptables -F iptables -X iptables -Z

iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset

ip6tables -F ip6tables -X ip6tables -Z

ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT ACCEPT

ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT ip6tables -A INPUT -p udp -m conntrack --ctstate NEW -j REJECT --reject-with icmp6-port-unreachable ip6tables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset

An example of a higher sophisticated rule set with logging is shown in the forum discussion.

Generating firewall rules for server
This section will try to build up a script that will generate a set of rules with internal and external interfaces.

IPv4
Print all rules like iptables-saveː

Like every other iptables command, it applies  to the specified table (filter is the default), so NAT rules get listed byː

IPv6
Print all rules like ip6tables-saveː

Like every other ip6tables command, it applies  to the specified table (filter is the default), so NAT rules get listed byː

External resources

 * Iptables and stateful firewall source article
 * Iptables and stateful firewall
 * firewall-mv