Iptables

This article is based on the old wiki iptables and stateful firewall (see the end of the article) and aims to get you started with and stateful firewall wishing that it will make you jump to write, maybe your first, stateful firewall rules and why not a complicated set of rules.

Prerequisites
First off, you will need to configure your kernel with netfilter support. If you want to be able to add rules based on IP filtering like black listing IP addresses based on a live feed, do not forget to add IPSet support to your kernel and merge package.

Kernel
You need to activate the following kernel options:

One can setup IPv6 support category to  to be safe and enable almost all Netfilter sub category as the following. Or else, enable only what you need and leave the other modules unset. You certainly would want almost all IP virtual server support core components (scheduler are certainly optional), IP: Netfilter Configuration support, IPv6: Netfilter Configuration for IPv6 support, IP set support for IP filtering based on IP, MAC, ports and then pick up what you need in Core Netfilter Configuration with at least: Netfilter: NFQEUE, LOG; Connection tracking: flow, mark, events, netlink; Netfilter Xtables: NFQEUE, LOG, conn{bytes,mark,state}, state helper with Xtables match: conn{bytes,mark,state}... you get the idea.

Iptables
Install :

Firewall
To create firewall rules, we are going to use  or. For IPv6 support to write down a few rules that will be loaded using. (rules file are usally saved to  so that whenever your machine is powered on, the rules set will be loaded automatically with.

Lets begin with a little example:

If you're looking into the perfect firewall, the previous command will set up the policy for INPUT chain and will satisfy the more paranoids. However, the previous will drop every packet that will be sent to the local host. And that, usually, nobody want it to be a default policy.

That example shows how we will be generating firewall rules.

Stateless firewall
Traditional firewall uses stateless firewall rules like:

that just opens unconditional holes without any kind of filtering based on the states of the connection nor the interfaces nor the ports. That rules will just accept any web traffic on port 80 because standard web traffic originate from port 80 (`--sport' switch means source port). This what is avoided by using a stateful firewall approach that filter the in/outbound packets based on the state of the connection.

Stateful firewall
In a stateful firewall approach, the previous example will be handled like:

First, we will drop everything like a hot potato, then accept only incoming traffic depending on the state of the state of the packets (stated NEW here), and then establish the connection. Even better, we could place the last line before the second to avoid going into complicated filtering chain for already related and established connections.

This is how a stateful firewall operate to avoid opening unneeded holes and accept in/outbound packets based on the state of the packets.

Generating firewall rules
This section will try to build up a script that will generate a set of rules with internal and external interfaces.

External resources

 * iptables and stateful firewall source article
 * iptables and stateful firewall