Iptables port filtering - Helped with easyfwgn

While clients search for the best way to be unfiltered, in other side administrators are concern about their network security. Unlike client, network administrator have many responsible of computers in their network, while clients only responsible to their own. So, it is normal if Network Administrator being so protective to their network.

If you're an administrator and want to do port filtering below steps is simple ways to do it.

Ever read about easy firewall generator (easyfwgn)? if not, try read here. You can easily generate Iptables firewall rule from web site. Let's start with generate some firewall rule using easyfwgn.

  • Assume you're using static IP for your network, In the first page select Gateway/Firewall for system, click generate to get the second page.
  • Fill the required information on page, like IP Address information and inbound service you want to allow. Select Advanced Network Options for advance option in the next page. Click Generate.
  • This page may look the same as before except there more option on Advance Network Option. Select Block Outbound Service for outbound access filtering. Click Generate.
  • Will be look the same either except on Block Outbound Service. Select one of service you want to block (Don't worry just select randomly, we will change it later). Click Generate.
  • Text will be appear, copy all this text to your text editor (i.e. nano or vim).
As default this firewall rule only block selected outbound service and allow other port to be accessed from inside, we need to change it to block all port and only allow only the ports we want to.
  • Search for "$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT" in the generated script, and change it to DROP, so it will be like this "$IPT -A tcp_outbound -p TCP -s 0/0 -j DROP".
  • Now that all port are blocked we need to define some port to be allowed, Copy line contain with "$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port xxxx -j REJECT", change REJECT to ACCEPT and xxxx as port number we want to allow. Copy multiple to add another allowed port.
example:
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT #Allow ssh outbound
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT #Allow mail outbound
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT #Allow http outbound
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT #Allow https outbound
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT #Allow https outbound
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 5000:5105 -j ACCEPT #Allow Yahoo Messenger

$IPT -A tcp_outbound -p TCP -s 0/0 -j DROP #Block other than defined above

  • Add this "$IPT -A tcp_outbound -m state --state ESTABLISHED,RELATED -j ACCEPT" on above those rule for allowing established connection.
  • Save your work as Firewall and change it permission so the script can be execute.
#chmod u+x Firewall
  • Test it by executing this script, if firewall show no error then you can try accessing internet from client PC. Try accessing allowed and blocked outbound service that you've defined before in Firewall script.
Example Filtered Port
  • If no problem occur, you may add this script into /etc/rc.local so the firewall can be load every time system boot up.
That's all and you can now freely define allowed outbound access by adding more rule like above examples.