Debian iptables firewall example for an SMTP server

Home
******************************************************

Create Firewall Rules:

******************************************************
We need to set up some form of firewall on this box. This is a subject that could (and does) fill volumes. We are going to use something quick and simple that will give us a basic firewall. Something is MUCH better than nothing, and we just don't have time to read volumes on the subject right now.

I am going to give you a set of commands below that I want you to paste into the command line, in the correct order. You MUST change the IP addresses to fit your needs, if you have not already done so. The line with '--dport 22' on it is SSH and the network address to the left needs to be the network that both your computer and the spamfilter computer are on. You could also limit access to a single computer (yours, of course) by using your_ipaddress_goes_here/32. This is a security measure. If you do that part wrong, it will lock you out. The lines with '--sport 53' on them are for access to DNS servers. BTW, all you have to do to change your DNS servers is change the entries in /etc/resolv.conf.

If you would like to add more rules in the future or make modifications, simply copy and paste these lines into a text editor like notepad, make the changes you would like, and then copy and paste them to a command prompt in your PuTTY window. You can copy and paste all the lines at once. The first line deletes all the entries that were in the rule-set previously and the next to the last line saves the new rule set. The last line shows how one would load a rules file into iptables. Keep a copy of the text file on your computer and call it firewall-rules.txt. I learned to never edit the /etc/firewall-rules file directly on the spamfilter computer. It looks like iptables will reject the file if anyone other than itself has modified it. I learned that one the hard way.

DO NOT USE AS IS, CHANGE NETWORK ADDRESS FIRST:
You can copy and paste this whole section to the command prompt:

iptables -F

iptables -N FIREWALL

iptables -F FIREWALL

iptables -A INPUT -j FIREWALL

iptables -A FORWARD -j FIREWALL

iptables -A FIREWALL -p tcp -m tcp --dport 25 --syn -j ACCEPT

iptables -A FIREWALL -p tcp -m tcp -s 222.222.222.222/24 --dport 22 --syn -j ACCEPT

iptables -A FIREWALL -i lo -j ACCEPT

iptables -A FIREWALL -p udp -m udp --sport 53 -j ACCEPT

iptables -A FIREWALL -p tcp -m tcp --sport 53 -j ACCEPT

iptables -A FIREWALL -p udp -m udp --dport 123 -j ACCEPT

iptables -A FIREWALL -p udp -m udp --sport 123 -j ACCEPT

iptables -A FIREWALL -p udp -m udp --sport 6277 -j ACCEPT

iptables -A FIREWALL -p udp -m udp --sport 24441 -j ACCEPT

iptables -A FIREWALL -p icmp --icmp-type destination-unreachable -j ACCEPT

iptables -A FIREWALL -p icmp --icmp-type source-quench -j ACCEPT

iptables -A FIREWALL -p icmp --icmp-type time-exceeded -j ACCEPT

iptables -A FIREWALL -p icmp --icmp-type parameter-problem -j ACCEPT

iptables -A FIREWALL -p icmp --icmp-type echo-reply -j ACCEPT

iptables -A FIREWALL -p icmp --icmp-type echo-request -j ACCEPT

iptables -A FIREWALL -p tcp -m tcp --syn -j REJECT

iptables -A FIREWALL -p udp -m udp -j REJECT

iptables -A FIREWALL -p icmp -j DROP

iptables-save > /etc/firewall-rules

iptables-restore < /etc/firewall-rules

Now run:

iptables -L

To list the rule set. This is informational only.

We have written the firewall rules to a file on the spamfilter computer, but iptables starts with an empty rule set each time the computer restarts. The rule set we saved to /etc/firewall-rules must be "loaded" into iptables every time the system starts up.

We are going to insert the command to configure iptables into a file that starts up the network interfaces when the system boots up:

vi /etc/network/interfaces

And insert the following text (remember, it's "i" to insert)
in the blank line just below "iface lo inet loopback":

pre-up iptables-restore < /etc/firewall-rules

Save and exit the file as usual with [Esc] : wq

Please don't think this is where you would stick any old command you would like.
This is not the place, and not the way, to do so. That's a whole 'nuther subject. This file is the right place (along with /etc/resolv.conf) to change network settings however.

That's all there is to it. You have just used what I believe is the fewest possible steps to create a simple functional personal firewall for this machine. I will admit that it should have been a lot easier by utilizing one of the firewall tools, but it just didn't work out.

At this point our firewall allows external users to connect to SSH and Mail. It also allows replies from Pyzor, DCC, DNS servers and NTP servers. It blocks (I hope) everything else except any sessions that originate from us. This allows us to connect to the outside world. This box should be behind another firewall at any rate. If so, that firewall/screening router will need to be configured to allow tcp port 25 traffic to this machine, but only after this box is fully functional. If you have things locked down really tight; take a look at http://flakshack.com/anti-spam/wiki/index.php?page=Provide+firewall+access for some ideas. Keep in mind we also need udp port 24441 for Pyzor and access to external DNS servers. As far as DCC, Razor and Pyzor go, try them before you start messing with your Internet firewall. I have my spamfilter behind a screening router, a hardware firewall, and software NAT box firewall and none of them required reconfiguration for these programs to work. Port 25 SMTP will probably need to be opened however.

If you have not done so, reboot again and run
iptables -L to verify the firewall loaded during start up.

If you have problems, enter the command iptables -F from the console to clear out iptables. This will allow you another shot at it.