# Simple Stateful Firewall - Beginner

## gentian

Is this a safe wiki to use for someone who is a beginner in IPTABLES?

https://wiki.archlinux.org/index.php/Simple_Stateful_Firewall

----------

## aCOSwt

I cannot tell about this one but, while being a gentooer, why not The Gentoo's one ?

----------

## gentian

 *aCOSwt wrote:*   

> I cannot tell about this one but, while being a gentooer, why not The Gentoo's one ?

 

I was always dubious about the gentoo-wiki validity and status, as it is not an official gentoo.org source. I think that the Arch wiki entries are phenomenal and very simplistic. Just wondering if it covers the ground better?

----------

## PaulBredbury

Both pages seem reasonable. My advice is:

1. Beware - there's lots of gotchas, in iptables rules, and networking.

2. No one document tells you everything - you have to google a lot, and experiment a lot.

3. You're not the NSA, so don't need to be as paranoid as some of the docs are.

4. ICMP is needed for e.g. MTU negotiation, so be very careful if you choose to selectively block/rate-limit it.

----------

## Goverp

If you're just after a simple firewall, rather than learning iptables, try net-firewall/ufw (and perhaps kde-misc/kcm-ufw).  They make configuring a simple firewall really easy.

----------

## gentian

 *Goverp wrote:*   

> If you're just after a simple firewall, rather than learning iptables, try net-firewall/ufw (and perhaps kde-misc/kcm-ufw).  They make configuring a simple firewall really easy.

  I tried installing ufw and I got: 

```
 *   CONFIG_NETFILTER_XT_MATCH_COMMENT:    is not set when it should be.

 *   CONFIG_IP6_NF_MATCH_HL:    is not set when it should be.

 *   CONFIG_NETFILTER_XT_MATCH_LIMIT:    is not set when it should be.

 *   CONFIG_NETFILTER_XT_MATCH_MULTIPORT:    is not set when it should be.

 *   CONFIG_NETFILTER_XT_MATCH_RECENT:    is not set when it should be.

 *   CONFIG_NETFILTER_XT_MATCH_ADDRTYPE:    is not set when it should be.

 * Please check to make sure these options are set correctly.

 * Failure to do so may cause unexpected problems.
```

 It installed fine, but I cannot set simple default rules. Maybe I need to recompile my kernel including the missing options?

----------

## Goverp

 *gentian wrote:*   

> I tried installing ufw and I got: 
> 
> ```
>  *   CONFIG_NETFILTER_XT_MATCH_COMMENT:    is not set when it should be.
> 
> ...

 Yes, to use UFW you need to configure the appropriate kernel options.  I installed it some time back, and then it stopped working - turned out I'd missed similar warning messages when an upgrade of UFW required new options in the later version of the kernel I was by then running.

I don't know what those setting actually mean, and whether you could build a decent firewall without them (not using UFW).  That's either a strength or a drawback of using a package - it may be making a good decision on your behalf, or it may just be bloating the kernel for a few irrelevant edge cases.  I've better things to do than read the code to find out  :Wink:  so I just did as UFW asked.

Whether or not those settings are the actual cause of UFW not working for you is a different question.  Try changing the kernel.  If that doesn't cure the problem, what are the symptoms of its failure?

----------

## gentian

 *Goverp wrote:*   

>  *gentian wrote:*   I tried installing ufw and I got: 
> 
> ```
>  *   CONFIG_NETFILTER_XT_MATCH_COMMENT:    is not set when it should be.
> 
> ...

  I just need to setup a really simple - basic firewall setup. I am not sure how can this be easily acomplished using IPTABLES. I basically need to achieve the ufw rules of denying incoming connections, except from ssh and allow all outcoming.

----------

## NeddySeagoon

gentian,

I like shorewall.  There is no need to wrestle with raw iptables and it saves some of the learning.

That are other tools like it too.

Maybe I'm nore paranoid than many as nothing is allowed in or out of my network without a rule to permit it.

This keeps nasty things out and stops them phoning home if they do get in.

Security is like layers of an onion.  The idea is not to make it absolutly impossible to break in, just difficult enough so casual attackers will give up and move on.

You set the bar where you like.

One of the biggest threats today is a combination of nasty websites and social engineering. You firewall cannot protect you against them.

----------

## gentian

 *NeddySeagoon wrote:*   

> gentian,
> 
> I like shorewall.  There is no need to wrestle with raw iptables and it saves some of the learning.
> 
> That are other tools like it too.
> ...

  From a first look on the howto, it looks more complicated and defeats the purpose of what I want to accomplish, which is a really simple firewall that blocks all input connections, even ssh for now and allows outcoming connections, coming from my box. Same mentality as the ufw default rules apply. Then the next step, would be to "play" on my vm with some more IPTABLES rules and see what are my main objectives/connections and how I interact with the net on a daily basis and then adjust the rules to my needs.

----------

## logical_guy

I think you need to take a look at this page http://en.gentoo-wiki.com/wiki/Iptables.  It takes only a couple of minutes to set up using iptables.

----------

## khayyam

gentian et al ...

In my opinion Oskar Andreasson's iptables tutorial is the best resource there is on the subject. It is through and detailed but doesn't make too many assumptions about the user. The resources provided in the the netfilter documentation section are directed at more advanced users but none-the-less there is some useful examples there.

As for a "basic" script, well, this depends on what the starting point is ... some people consider it basic to do both ingress and egress filtering, with a default policy of DROP on INPUT, OUTPUT and FORWARD, if you don't need to allow much traffic such rulesets can be fairly staightforward. Then there are scripts that have DROP but ACCEPT on OUTPUT with --state ESTABLISHED,RELATED on INPUT. Different focuses but neither are particularly complex.

Anyhow ... I think your looking for something like the following:

```
# clear current ruleset

iptables -F

iptables -X

iptables -Z

# set the default policy

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

# allow traffic on the loopback interface

iptables -A INPUT -i lo -j ACCEPT

# accept incomming traffic based on established connections

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow connections to port 22

iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT

# allow icmp (if you want hosts to be able to ping)

iptables -A INPUT -p icmp -j ACCEPT

# drop broadcast/mulitcast packets (these will only fill the log file)

iptables -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP

iptables -A INPUT -d 224.0.0.1 -j DROP

# log everything else

iptables -A INPUT -j LOG
```

... comment the rule for port 22 to disallow incoming ssh connections.

HTH  & best ...

khay

----------

## Fitzcarraldo

I came across the following HowTo on IPTABLES on the Web a few weeks ago, and thought it would be worth posting the link, as it looks quite helpful: IPTABLES - A Beginner's Tutorial.

----------

## nix213

It looks like a great link; thanks for sharing! 

building your own firewall can be a great learning experience

----------

