You can start setting up your rules. These are just suggestions. Obviously, if you are running other services or need to open other ports, you can certainly customize some things or add some of your own rules.
Loopback interface is an internal interface that Linux uses.
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
Many people do not want to allow pings on their computers. However, it is quite useful to check connections. If you want to allow pings, add the rules below.
-A INPUT -i eth0 -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m state --state ESTABLISHED, RELATED -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
You can connect to the web. On the other hand, you don't want to allow connections originating from the Internet.
-A INPUT -i eth0 -p tc -m state --state ESTABLISHED, RELATED --sport 80 -j ACCEPT
-A INPUT -i eth0 -p tc -m state --state ESTABLISHED, RELATED --sport 443 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT
You will need to allow DNS connectivity so that the computer can use the URL instead of the IP address because it is not very convenient. Replace the router's IP address for the IP address used below.
-A INPUT -i ens3 -s 192.168.1.1 -p udp --sport 53 -m state --state ESTABLISHED, RELATED -j ACCEPT
-A OUTPUT -o ens3 -d 192.168.1.1 -p udp --dport 53 -m udp -j ACCEPT
Most Linux desktops use NTP to set up and maintain system time from the Internet. You need to allow the computer to connect to the NTP server to set the time.
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED, RELATED --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 123 -j ACCEPT
Unless you are using a USB printer or an external print server, then you need to enable connectivity with CUPS.
-A INPUT -p udp -m udp --dport 631 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 631 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 631 -j ACCEPT
You can also send and receive emails. The ports allowed here are SSL email ports. If you need to use unsafe email, replace those ports.
# IMAP
-A INPUT -i eth0 -p tc -m state --state ESTABLISHED, RELATED --sport 993 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 993 -j ACCEPT
# POP3
-A INPUT -i eth0 -p tc -m state --state ESTABLISHED, RELATED --sport 995 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 995 -j ACCEPT
# SMTP
-A INPUT -i eth0 -p tc -m state --state ESTABLISHED, RELATED --sport 465 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 465 -j ACCEPT
To make full use of SSH connections, you need to enable both output and input via SSH.
# Input
-A INPUT -i ens3 -p tcp -m state --state NEW, ESTABLISHED --dport 22 -j ACCEPT
-A OUTPUT -o ens3 -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT
# Output
-A OUTPUT -o ens3 -p tcp -m state --state NEW, ESTABLISHED --dport 22 -j ACCEPT
-A INPUT -i ens3 -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT
Most Linux computers use DHCP to automatically receive IP addresses from a router. DHCP uses private ports, so they need to be accessed. If you are using static IP, you will not need these rules.
-A INPUT -i eth0 -p udp -m state -state ESTABLISHED, RELATED --sport 67:68 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 67:68 -j ACCEPT
After all, your rules will look like this:
Now, you already have a list of fully functional iptables rules. You just need to include it in iptables to use. In case some rules have been added over time, delete them. After the commands below, you will see the default settings that allow everything.
sudo iptables -F && sudo iptables -X
Your computer is now using new iptables rules. You can check by entering the command.
sudo iptables -S
However, these rules are only temporary. When you restart the computer, they will disappear.
There are several ways to make these rules permanent. This tutorial will focus on systems based on Debian and Ubuntu because they are the most popular.
There is an available package, iptables-persistant - that handles the storage and restoration of iptables. All you need to do is install it.
During the installation process, this package will ask if you want to save your configuration, select Yes.
If you later want to add rules, you can save them by running the following commands:
sudo service netfilter-persistent save
You are controlling traffic through your computer. You can do more with iptables, but try these basic operations!