Security experts will probably tell you it’s not a good idea to be a dummy and also in charge of your own firewall. They’re probably right, but it’s a catchy title. In this article, I’ll quickly go over some common firewall rules for iptables under linux.
First things first. If you don’t have the right kernel, you’re not going to get anywhere. A quick way to find out of all the right pieces are in place is to try to load the iptables kernel module.
$ modprobe iptable_nat
If you get errors you may need to compile various support into your kernel, and of course you may need to compile the iptable_nat module itself. The easiest way is to download the source RPM for your installed distribution, and do ‘make menuconfig’ with it’s default configuration, that way all the things that are currently working with your kernel won’t break when you forget to select them. For details see the Linux Firewall using IPTables HOWTO.
Once the module is loaded, start the service:
$ /etc/rc.d/init.d/iptables start
You will also have to have your interfaces up. I did this as follows:
# startup dhcp /usr/sbin/dhcpd eth0 # bring up twc cable connection to internet ifup eth1
You’ll need to set some rules. Be sure to get your internet interface, and local network interface right on these commands. First to setup masquerade which allows multiple machines behind your firewall to all share your single dynamically assigned IP address from your internet provider:
$ iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
On my firewall, eth1 is the device which talks to the ISP, and gets the IP address we’ll use on the internet. The other interface, eth0 is for my local internal network.
Next be sure to enable VPN traffic through the firewall if you have a VPN connection to your office:
iptables -A INPUT -s 10.0.0.0/24 -p 50 -j ACCEPT iptables -A INPUT -s 10.0.0.0/24 -p 51 -j ACCEPT iptables -A INPUT -s 10.0.0.0/24 -p udp --dport 500 -j ACCEPT
Lastly enable ip forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward