iptables
4 Sep 2016 (Updated 18 Aug 2020)
It looks like nftables is maybe the default one day, but for now, iptables still rules the roost.
Here's a script to clear all your iptables rules. Save it as a bash script ant run it as root.
#!/bin/bash set -u set -e set -o pipefail ############## ipv4 ################## IPTABLES=/sbin/iptables # Flush all tables. $IPTABLES --flush # Delete all chains in all tables. $IPTABLES --delete-chain # Zero out all counters. $IPTABLES --zero # Accept all traffic everywhere $IPTABLES --policy INPUT ACCEPT $IPTABLES --policy OUTPUT ACCEPT $IPTABLES --policy FORWARD ACCEPT ############## ipv6 ################## IP6TABLES=/sbin/ip6tables # Flush all tables. $IP6TABLES --flush # Delete all chains in all tables. $IP6TABLES --delete-chain # Zero out all counters. $IP6TABLES --zero # Accept all traffic everywhere $IP6TABLES --policy INPUT ACCEPT $IP6TABLES --policy OUTPUT ACCEPT $IP6TABLES --policy FORWARD ACCEPT
Here's a script to only allow outgoing connections and no incoming connections. It's a good basic workstation firewall to use when you are in a public space. Save it as a bash script and run it as root.
#!/bin/bash set -u set -e set -o pipefail ############## ipv4 ################## IPTABLES=/sbin/iptables # Tell the kernel that we don't want to # do ipforwarding. We are not a router, # so all ipforwarding can be disabled at # the kernel level. echo "0" > /proc/sys/net/ipv4/ip_forward # Clean out any iptables rules # Flush all tables. $IPTABLES --flush # Delete all chains in all tables. $IPTABLES --delete-chain # Zero out all counters. $IPTABLES --zero # Drop all input and forward traffic; accept all originating traffic. $IPTABLES --policy INPUT DROP $IPTABLES --policy OUTPUT ACCEPT $IPTABLES --policy FORWARD DROP # Allow loopback interface. $IPTABLES --append INPUT --in-interface lo --jump ACCEPT # Drop any traffic not initiated from us. $IPTABLES --append INPUT --protocol tcp --syn --jump DROP # Allow only incoming traffic from already-established connections. $IPTABLES --append INPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT ############## ipv6 ################## IP6TABLES=/sbin/ip6tables # Clean out any iptables rules # Flush all tables. $IP6TABLES --flush # Delete all chains in all tables. $IP6TABLES --delete-chain # Zero out all counters. $IP6TABLES --zero # Drop all input and forward traffic; accept all originating traffic. $IP6TABLES --policy INPUT DROP $IP6TABLES --policy OUTPUT ACCEPT $IP6TABLES --policy FORWARD DROP # Allow loopback interface. $IP6TABLES --append INPUT --in-interface lo --jump ACCEPT # Drop any traffic not initiated from us. $IP6TABLES --append INPUT --protocol tcp --syn --jump DROP # Allow only incoming traffic from already-established connections. $IP6TABLES --append INPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT # Accept all ICMP (ping) packets (Apparently ipv6 tooling uses # ping a lot: https://www.linux.com/topic/networking/iptables-rules-ipv6/) $IP6TABLES --append INPUT --protocol ipv6-icmp --jump ACCEPT
Here's a script that builds on the above script. It allows incoming ssh connections on port 22 from a whitelist of ip addresses, and http/https traffic from the outside world.
#!/bin/bash set -u set -e set -o pipefail IPTABLES=/sbin/iptables IP6TABLES=/sbin/ip6tables # Clean out any iptables rules # Flush all tables. $IPTABLES --flush # Delete all chains in all tables. $IPTABLES --delete-chain # Zero out all counters. $IPTABLES --zero # Drop all incoming and forwarded traffic; allow all outgoing traffic. $IPTABLES --policy INPUT DROP $IPTABLES --policy OUTPUT ACCEPT $IPTABLES --policy FORWARD DROP # Accept all incoming traffic on the loopback interface. $IPTABLES --append INPUT --in-interface lo --jump ACCEPT # Accept incoming traffic from already-established connections. $IPTABLES --table filter --append INPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT # Accept all new incoming connections for HTTP and HTTPS traffic. $IPTABLES --append INPUT --match conntrack --ctstate NEW --match tcp --protocol tcp --destination-port 80 --jump ACCEPT $IPTABLES --append INPUT --match conntrack --ctstate NEW --match tcp --protocol tcp --destination-port 443 --jump ACCEPT # Accept all new incoming connections from SSH clients from Comcast's block of ipv4 addresses # (from http://postmaster.comcast.net/dynamic-IP-ranges.aspx) $IPTABLES --append INPUT --match conntrack --ctstate NEW --match tcp --source 24.0.0.0/12 --protocol tcp --destination-port 22 --jump ACCEPT $IPTABLES --append INPUT --match conntrack --ctstate NEW --match tcp --source 24.118.0.0/16 --protocol tcp --destination-port 22 --jump ACCEPT # ... this goes on at quite some length, but you get the idea... $IPTABLES --append INPUT --match conntrack --ctstate NEW --match tcp --source 98.248.0.0/13 --protocol tcp --destination-port 22 --jump ACCEPT $IPTABLES --append INPUT --match conntrack --ctstate NEW --match tcp --source 174.48.0.0/12 --protocol tcp --destination-port 22 --jump ACCEPT ############## ipv6 ################ # Flush all tables. $IP6TABLES --flush # Delete all chains in all tables. $IP6TABLES --delete-chain # Zero out all counters. $IP6TABLES --zero # Drop all incoming and forwarded traffic; allow all outgoing traffic. $IP6TABLES --policy INPUT DROP $IP6TABLES --policy OUTPUT ACCEPT $IP6TABLES --policy FORWARD DROP # Accept all incoming traffic on the loopback interface. $IP6TABLES --append INPUT --in-interface lo --jump ACCEPT # Accept incoming traffic from already-established connections. $IP6TABLES --append INPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT # Accept all incoming ICMP (ping) packets (Apparently ipv6 tooling uses # ping a lot: https://www.linux.com/topic/networking/iptables-rules-ipv6/) $IP6TABLES --append INPUT --protocol ipv6-icmp --jump ACCEPT # Accept all new incoming connections for HTTP and HTTPS traffic. $IP6TABLES --append INPUT --match conntrack --ctstate NEW --match tcp --protocol tcp --destination-port 80 --jump ACCEPT $IP6TABLES --append INPUT --match conntrack --ctstate NEW --match tcp --protocol tcp --destination-port 443 --jump ACCEPT # Accept all new incoming connections from SSH clients from Comcast's block of ipv6 addresses $IP6TABLES --append INPUT --match conntrack --ctstate NEW --match tcp --source 2001:558::/29 --protocol tcp --destination-port 22 --jump ACCEPT $IP6TABLES --append INPUT --match conntrack --ctstate NEW --match tcp --source 2601::/20 --protocol tcp --destination-port 22 --jump ACCEPT $IP6TABLES --append INPUT --match conntrack --ctstate NEW --match tcp --source 2603:2000::/20 --protocol tcp --destination-port 22 --jump ACCEPT $IP6TABLES --append INPUT --match conntrack --ctstate NEW --match tcp --source 2603:3000::/24 --protocol tcp --destination-port 22 --jump ACCEPT $IP6TABLES --append INPUT --match conntrack --ctstate NEW --match tcp --source 2620:fd:8000::/48 --protocol tcp --destination-port 22 --jump ACCEPT