Gentoo Wiki


Beginners and casual users

For beginners and people who do not want te mess with iptables directly, setting up Shorewall could be a better option. (Unfortunately there is no good HOWTO for Shorewall yet.)

It also has traffic shaping capabilities (using the tc tool).

Basic iptables rules

iptables is the basic frontend for the kernel's extensive set of firewall and routing functionality. You can use it directly, but most of the time you will want to have a set of rules in a script.

For this to work, you have to have the related kernel options enabled:

[Please add the exact options.]

Here is a basic shell script with a quite nice set of iptables rules, to build upon:

/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 0:1023 -j LOG --log-prefix "iptables: LOW PORT TCP CON: "
/sbin/iptables -A INPUT -p udp -m state --state NEW -m udp --dport 0:1023 -j LOG --log-prefix "iptables: LOW PORT UDP CON: "
/sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 1024:65535 -j LOG --log-prefix "iptables: HIGH PORT UDP CON: "
/sbin/iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1024:65535 -j LOG --log-prefix "iptables: HIGH PORT UDP CON:"
/sbin/iptables -A INPUT -p icmp -m limit --limit 5/minute -j LOG --log-prefix "iptables: ECHO: "

/sbin/iptables -A INPUT -p tcp -i eth0 -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p udp -i eth0 -j REJECT --reject-with icmp-port-unreachable 

/sbin/iptables -P FORWARD DROP

/sbin/iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "iptables: NMAP-XMAS:"

/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "iptables: XMAS:"

/sbin/iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "iptables: XMAS-PSH:"

/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "iptables: NULL_SCAN:"

/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "iptables: SYN/RST:"

/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "iptables: SYN/FIN:"

/sbin/iptables -A INPUT -p tcp --tcp-flags ALL SYN -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "iptables: SYN stealh:"

Just run it at every boot (via your init system).

For an explanation on what the rules do, please read the iptables documentation.

Advanced techniqes

Please refer to the Advanced Routing & Traffic Control HOWTO at TLDP, and the iptables and tc documentation for more advanced ways of filtering, routing and traffic shaping.

For even more advanced security, you can use:

Retrieved from ""

Last modified: Fri, 05 Sep 2008 22:23:00 +0000 Hits: 8,470