Configuring iptables

This is a very basic iptables configuration. If your server is secure, it should not be necessary. If you're using any other firewall device / scripts, ignore this. I'm adding it for completeness as a turnkey system; if you have nothing else, you should at least use iptables to restrict access to known ports.

Create a file /etc/network/if-up.d/iptables-up: /sbin/iptables-restore /etc/default/iptables
 * 1) !/bin/sh

Create a file /etc/network/if-down.d/iptables-down: /bin/cp /etc/default/iptables /etc/default/iptables.bak /sbin/iptables-save > /etc/default/iptables.unknown
 * 1) !/bin/bash

Make them executable: chmod 700 /etc/network/if-up.d/iptables-up /etc/network/if-down.d/iptables-down

''The iptables-down script seems fairly redundant, but it is designed to save iptables changes without automatically reloading them. If you have added rules, then stopping the network will save those rules, but only to the file /etc/default/iptables.unknown. You may then replace /etc/default/iptables if you are confident of the changes. The last working rule set will be in /etc/default/iptables.bak.''

Create the rules by running all of these commands from the commad line

iptables -F iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth0 -j ACCEPT                                        # note 1 iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT  # note 2 iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 220 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT iptables -A INPUT -j DROP

Note 1: This assumes that eth0 is your network adapter. (If your machine is multi-homed, you're on your own here. See note at top about using a dedicated firewall script.) If it is not, change eth0 as appropriate.

Note 2: This assumes that your ssh port is 22 (default). If you have changed the port (see here), change 22 to the appropriate port.

You might also do this: iptables -A FORWARD -j DROP iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -s  -j ACCEPT iptables -A OUTPUT -j DROP which I don't think serves much purpose in this turnkey server, but sets the defaults for adding additional rules later. Beware that misconfiguring the OUTPUT rules before the last line will probably mean a reboot as you'll lose your connectivity to the server.

Once you have done all of this, save the rules: iptables-save > /etc/default/iptables chmod 600 /etc/default/iptables

Summary of rules
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT allows connections to continue.

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport NN -j ACCEPT

passes traffic for services:
 * 22 = ssh
 * 53 = name server (you may omit if you are not running a name server)
 * 80 = Apache
 * 443 = Apache (secure)
 * 25 = SMTP
 * 110 = POP3
 * 143 = IMAP
 * 220 = IMAP3
 * 993 = IMAP/SSL

iptables -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT Some name server requests.