This no-thrills, bog-standard firewall may seem basic but it works. Try a door and, unless it's whitelisted, it won't budge.
The assumption here is that you either do not have a firewall, else that it needs re-addressing. For the former, we will install the package and, for both, we'll tune the ruleset to ensure yours is rock-solid.
Assume root privileges and list your current rules:
If it looks like this, you have no rules:
Or if instead you receive an error like this, then the package isn't installed:
In the latter case, install iptables:
If you're fine-tuning an old ruleset, just to be safe, back it up:
Now, whether starting afresh or improving, we'll add our new rules. Open a file:
Study this syntax and try not to get a headache. It's commented to help. The comments surrounded by ### three hashes ### show the areas we may want to change:
This firewall allows localhost (loopback) traffic, traffic on the http and secure https ports, pinging, configures the log, and tells anything else to kindly sod off.
Without getting too detailed, let's consider the rules that we may want to add to or change. Firstly, do we want to open more ports? If so, we can cheat a bit and add a rule like one of these, swapping the port for the one we need:
For example, say you want a mail server. Certainly you'd be wanting port 25. To allow for that, we would add this rule:
As you can see, other than for the port number, this is identical to the rules for 80 and 443.
With your rules edited in a text editor, paste them to our newly opened file. Don't worry if there's a port missing (other than for SSH if you're editing its configuration file now) because it can be added later using precisely this process, using the previous syntax but with the addition of extra rules. Now we can implement our rules using these commands:
The firewall is in place. Almost…
Adding the firewall to the network
We need to register the iptables rules with the system's networking, so open another file:
In there, look for the line iface lo inet loopback. Beneath it, add this:
Or if you already had iptables, you should have this line, in which case just leave it.
All right then.
Further reference for iptables
You'll probably have questions about managing iptables. Have my bookmarks:
- Easy – Ubuntu's iptables How-To
- Medium – Netfilter's iptables Reference
- Stiff whiskey – FrozenTux' iptables Guide
Is there a GUI-based firewall alternative?
Yes. You need Simplify iptables with ConfigServer Firewall. But you don't deserve the whiskey.