as you manage more and more linux servers, you might stumble upon iptables firewalls. Especially with newer distros that happens more and more often, for example Fedora 17 and CentOS 6.3 have their iptables switched on by default.
If you now start to install services and server software, you might want to disable your firewall to test if the server responds, right? wrong!
The firewall is there for a reason, and should not just be switched off. One little trick I picked up is to always have a little shell script on hand that contains all the rules you want on your server and blocks everything else.
That way you can easily add an open port or close one, can rearrange the rules to your like and then run the script and have the firewall in place exactly as you want it to be.
This is especially helpful in case you mess up your rules or something goes wrong. You are up and running with your set of rules again in no time.
So, here goes a little basic firewall file on one of my test servers that runs a media wiki and for test purposes webmin on port 4444. It even takes into account ipv6 (same rules as for ipv4) and dumps the rules to the screen for you to see whats in place now.
all the best,
#flush all rules
#allow 22 (ssh)
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp –dport 22 -j ACCEPT
#allow 80 (http, the wiki)
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp –dport 80 -j ACCEPT
#allow 4444 (webmin)
ip6tables -A INPUT -p tcp –dport 4444 -j ACCEPT
iptables -A INPUT -p tcp –dport 4444 -j ACCEPT
#set default policies for INPUT, FORWARD and OUTPUT chains
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
#set access for localhost
iptables -A INPUT -i -lo -j ACCEPT
ip6tables -A INPUT -i -lo -j ACCEPT
#accept packets belonging to established connections
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
/sbin/service iptables save
/sbin/service ip6tables save
iptables -L -v
ip6tables -L -v