LinWiz://ServerFirewall
Links: { LinWiz home page | More IPTABLES Links | Chris Lowth's home page }

Simple Linux Server iptables boot-script wizard
[Version 1.09 - June 2003]

By Chris Lowth

If you find this tool useful, please consider making a small financial contribution towards it's continued development via eBay's "PayPal" system. Just click on the button below.

This tool is one of the LinWiz set of wizards. It creates a simple firewall shell script (for any "iptables" enabled linux system) or configuration file (for hosts that employ the iptables-restore file format for saving rule sets - such as RedHat Linux 7.1, 7.2, 7.3 or 8.0 and others). The generated configuration is a "iptables firewall" rule set, suitable for servers or workstations with a single network card, not acting as a router (not forwarding IP traffic).

Step 1 - read and understand this disclaimer

This tool is Copyright (C) Chris Lowth, 2003. The files it creates are provided under the terms of the GNU General Public License, the full text of which is available here. This license governs your rights to use and redistribute the generated code and highlights the fact that it is provided with no warranty.

Your continued use of the tool and the files it creates indicates your acceptance of these terms.

A note about privacy: No information entered into this form is stored anywhere on the web server, or deliberately passed to any person or agency. Your privacy is respected. The data you enter is sent over the internet in "clear text" for processing by the LinWiz tools, so it is possible (but unlikely) that someone could "snoop" the connection and read the information (this is true for any un-encrypted internet traffic - which includes the majority of the "world wide web"). However - the good news is that these tools work just as well with false IP addresses as with real ones, provided that you edit the created file once you have downloaded it to replace any false addresses with real ones. In the majority of cases, such use of "false addresses" is not required - particularly if your computer is located in a private network.

Step 2 - Simple IP services

This section lists a number of popular TCP/IP and UDP "services" that you might have running on your system. If you wish to allow (or refuse) other people on the network permission to access these services, then all you need to do is to select or clear the relevant tick boxes below.

Name Description Ports SSL Ports
dhcp Dynamic host configuration protocol
67:68/udp
 
domain DNS - Domain Name Service (IP name resolution)
domain/udp
 
ftp File transfer protocol
ftp/tcp
ftp-data/tcp
 
http Web Server (Hyper Text Transfer Protocol)
http/tcp
https/tcp
imap Interim Mail Access protocol (on-server mail folders)
imap/tcp
imaps/tcp
irc Internet Relay Chat
irc/tcp
ircs/tcp
ldap Lightweight Directory Access Protocol
ldap/tcp
ldaps/tcp
ntp Network Time Protocol - used for synchronising computer clocks over an IP network.
ntp/udp
 
pop3 Post Office Protocol (for mail collection)
pop3/tcp
pop3s/tcp
printing Various unix print services - select only those you use
- port 631 is used by the cups / lprng daemon
- 'ipp' is the Internet prinint protocol
- 'printer' is the lpd daemon
ipp/tcp
631/tcp
printer/tcp
 
samba Samba NetBIOS over IP, etc (for MSWindows networking).

The wins port is only needed if Samba is configured to run as a WINS server.

netbios-ns/udp
netbios-dgm/udp
netbios-ssn/tcp
wins/all
 
smtp Mail relay server - such as sendmail
smtp/tcp
smtps/tcp
snmp Simple Network Management Protocol
snmp/tcp
snmp/udp
snmptrap/udp
 
ssh Secure shell - encrypted login and port tunnelling
ssh/tcp
 
telnet Remote login (insecure)
telnet/tcp
telnets/tcp

       

Step 3 - Complex IP services

Some IP services (or groups of services) are more complex, and require groups of ports to be configured, or for the services themselves to be updated or modified. This section is used to set up a number of popular "complex" services.

Service Enabled? More information
NFS

[ Help ]

Read this help page for information on setting up NFS for firewall control, then fill in the following port numbers. If you leave any of these numbers blank, the relevant NFS component will be omitted from your host firewall rules.

Please note that the default settings will not work unless the setup changes recommended in the help page are also followed.

   portmap port :  (default: 111)
   mountd port  :  (default: 4002)
   nfsd port    :  (default: 2049)
   lockd port   :  (default: 4001)
   statd port   :  (default: 4000)
   quotad port  :  (default: 4003)
X Windows remote access

[ Help ]

Log in to other systems using "X", or run X applications on them
(allow remote X applications to connect to your X server(s)).

Select the "X" terminals (below) that you wish to access remote "X" applications from. Note that the usual server is number ":0". You will only need to select any of the others if you deliberately start additional servers. If you dont know what this means - you can probably leave it at just ":0".
:0 :1 :2 :3 :4 :5 :6 :7

Permit others to login to your system using "X"
(Allow then to connect to your X server(s) using XDMCP)

You should enable this option if you wish to allow users on other hosts to perform remote X logins to your server. This enables the "xdmcp" protocol.

Step 4 - Extra IP services

  • Add the port numbers for any TCP/IP or UDP services you wish to enable, but that are missing from the tables above.
  • To specify more than one port, use spaces or commas between them.
Port type Description Ports
Extra TCP/IP List the port numbers for extra TCP/IP services you wish to enable.
Extra UDP List the port numbers for extra UDP services you wish to enable.

Step 6 - Filtering by IP and/or MAC address

In this section, you can choose a number of IP addresses, subnets or MAC addresses that you either wish to allow or deny access to the services you have chosen to enable. If you leave both boxes empty, then no filtering on IP or MAC address is performed.

More help is available - click the "Show more help" button near the top of this page to view it.

IP AddressesMAC Addresses

Choose how these address should be handled:

Step 7 - Options

Select the options you want to turn on. The default settings are pretty good for most users.

If you select option number 3 (which is 'on' by default), then you should enter the IP address of your system in the box below the table. You can use fictional information if you want - and then edit the created file by hand after downloading it.

#OptionDefaultDescription
1 all Respond to "pings" from other hosts?
  • "all" : respond to all hosts without limit
  • "filtered" : only respond to hosts that are permitted by the filters in step 6
  • "none": dont respond to pings from any hosts
2 yes Drop spoofed "loopback" packets?
Should your computer "drop" any IP packets that are trying to spoof the loopback interface address.
3 yes Drop packets spoofing the local address?
Should your computer "drop" any IP packets coming in from the network that are trying to spoof the computer's own address? If you say "yes" here, then we need to know the computer's IP address in order to be able to build the relevant rules. Please enter this in the box below this table (you can use a fictional one if you wish, and edit the generated script later).
4 yes Block "syn flood" attacks?
Should your computer detect and "drop" packets that look as if they are part of a "syn flood" attack?
5 yes Block TCP connections that dont start with "syn" packets?
Should your system detect and "drop" packets that break the rule that all TCP connections start with a "syn" packet?
6 none Log rejected packets?
Should your computer write "syslog" information about packets that are rejected or dropped by these filtering rules?
  • "all" : Log all rejected packets
  • "some" : Log all rejected packets except netbios name-resolution broadcasts (you'll get a lot of these on a MicroSoft network).
  • "none" : Dont log any rejected packets
7 no Act as a SAMBA client?
Should your system be permitted to access remote SAMBA shares - on windows systems or other Linux ones?
  Your computer's IP address:   This information is needed if you chose option number 3 (above)

Step 8 - Actions

Click on one of these buttons..

Action buttonDescription
Redisplay this page

with the ports that have been selected as "enabled" coloured in green, and those that are "disabled" coloured in red. This is simply to make it easier to read, and has no effect on the script that will eventually be generated.

Download the generated config file.

If you are using this on RedHat 7.1, 7.2, 7.3, 8.0 or 9. Simply save the file to disk and copy to /etc/sysconfig/iptables on your linux system. Be sure to copy it as a unix formatted file.

Download the generated config file as a shell script.

This file format is suitable for use as a classic "rc.firewall" script. Be sure to copy it as a unix formatted file.

Export your data for saving on your hard dirve.

Save the generated web page in "html" format, so that you can re-visit this LinWiz tool later - possibly to change your settings and create a new firewall configuration, or simply to review the choices you made.


This tool is powered by Apache, PHP and Perl with purpose written code by Chris Lowth. The LinWiz source code is Copyright (c) 2003 Chris Lowth. LinWiz This page is Copyright (c) 2003 Chris Lowth. The files generated by this software are Licensed according to the GPL Version 2.