While we don’t have many rules in our firewall, it can end up being convenient to have a script on-hand so that we can automatically restore the rules that we want. I copied the structure from these guys and filled my own rules in (I left some of their intriguing bits in as comments for the time being).
nano /root/setupFirewall.sh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
| #!/bin/bash
# Set up iptables baseline
# Flush rules to work from a clean slate
iptables -F
# Set default policies for INPUT, FORWARD, and OUTPUT chains
#iptables -P INPUT DROP
#iptables -P FORWARD DROP
#iptables -P OUTPUT ACCEPT
# Allow access for localhost
iptables -A INPUT -i lo -j ACCEPT
# Accept packets belonging to established and related connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Add access from other computers on our network
#iptables -A INPUT -s <IP Address 1> -j ACCEPT
#iptables -A INPUT -s <IP Address n> -j ACCEPT
# Open port for HTTP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Deny All
iptables -A INPUT -j DROP
# List iptables chains
iptables -L --line-numbers |
chmod 700 /root/setupFirewall.sh
Don’t forget that last bit. Not only does it allow us to execute the script, but probably more importantly it hides our firewall configuration from unauthorized eyes. Again, obscurity is NOT security, but it can help augment security.