Basic iptables setup (Ubuntu)

Accept anything coming in from

iptables -A INPUT -i lo -j ACCEPT

Accept "related" ("packet is starting a new connection, but is associated with an existing connection") and "established" ("packet is associated with a connection which has seen packets in both directions") packets:

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

SSH; set port (XXXXX) to 22 if you're running the default, which you perhaps should not do as the script kiddies will not leave you alone. If this is changed to something non-default then do not forget to change the port in /etc/ssh/sshd_config (the Port configuration directive) and do these changes coordinatedly. Otherwise you will be locked out.

iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT


iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

NTP, because we're part of the NTP Pool Project:

iptables -A INPUT -p udp -m udp --dport 123 -j ACCEPT

Log dropped packets, but not too much:

iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables DROP: " --log-level 7

Do the actual dropping:

iptables -A INPUT -j DROP

In order to save these settings on shutdown, create the following file in /etc/network/if-post-down.d/iptables:

iptables-save -c > /etc/iptables.rules
exit 0

To restore the settings on boot, create the following file in /etc/network/if-pre-up.d/iptables:

iptables-restore < /etc/iptables.rules
exit 0

And make the two executable:

chmod +x /etc/network/if-post-down.d/iptables /etc/network/if-pre-up.d/iptables

Tagged with:

Categorised as: