Iptables

iptables is a program used to configure and manage the kernels netfilter modules.

Prerequisites
First off, configure the kernel with netfilter support. To allow adding rules based on IP filtering like black listing IP addresses based on a live feed, do not forget to add IPSet support to the kernel and merge the package.

Client
For client computers some basic options need to be activated in the kernel. This configuration does not provide network address translation or any other high sophisticated features. In "Network packet filtering framework" only the tables "filter" are needed with connection tracking support and with REJECT target support.

Router
Activate the following kernel options:

One can setup the IPv6 support category as modular () to be safe and enable almost all Netfilter sub-categories as well. Or, enable only what is needed and leave the other modules unset. A number of settings are almost always needed:


 * IP virtual server support core components (scheduler are certainly optional)
 * IP: Netfilter Configuration support
 * IPv6: Netfilter Configuration for IPv6 support
 * IP set support for IP filtering based on IP, MAC, ports
 * pick up what is needed in Core Netfilter Configuration with at least:
 * Netfilter: NFQEUE, LOG;
 * Connection tracking: flow, mark, events, netlink;
 * Netfilter Xtables: NFQEUE, LOG, conn{bytes,mark,state}, state helper with Xtables match: conn{bytes,mark,state}...

Emerge
Install iptables:

First run
For some services such as sshguard and fail2ban a running firewall is mandatory. First save a blank firewall rule set and start the firewall.

IPv4
To start on boot:

IPv6
To start on reboot:

General rules
To create firewall rules, the or  commands in the next set of examples will be defined through   or. When the rules are saved, they are usually stored in or. This allows the firewall service to reload the rules at boot time.

Let's begin with a little example:

This will implement a fairly strong firewall: it will drop every packet that will be sent to the host (as this matches the INPUT chain).

The following examples show how firewall rules are further generated.

Stateless firewall
Traditional firewalls use stateless firewall rules like so:

That simply allows the local port 80 to accept traffic ( configures the destination port), which usually implies HTTP servers as those generally listen on port 80).

Stateful firewall
In a stateful firewall approach, the previous example would be handled like so:

By default, everything will be dropped like a hot potato. However, incoming traffic might be accepted based on the connection state of the packets (starting with NEW and further allowing all established/related traffic). Performance-wise, it would even be better to place the last line before the second to avoid going into complicated filtering chains for already related and established connections.

This is how a stateful firewall operates to avoid opening unneeded holes and accept in/outbound packets based on the state of the packets.

Generating firewall rules for client
A script as simple as shown below should be sufficient for most client computers. Store it in a safe place - it is only needed for setting up or for changing the firewall rules. As the firewall rules are saved and reloaded, there is no need to run the script after every boot.

An example of a more sophisticated rule set with logging is shown in this forum discussion.

Generating firewall rules for server
This section will try to build up a script that will generate a set of rules with internal and external interfaces.

IPv4
Print all rules (similar to )ː

Like every other command, it applies to the specified table (of which   is the default), so NAT rules get listed byː

IPv6
Print all rules (similar to )ː

Like every other command, it applies to the specified table (of which   is the default), so NAT rules get listed byː

External resources

 * Forums posting with ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT
 * Iptables and stateful firewall source article
 * Iptables and stateful firewall
 * firewall-mv
 * IPv6