BCE-C712 Linux System Administration

0 of 74 lessons complete (0%)

TCP/IP Firewall and IP Masquerade

Sample Firewall Configuration

You don’t have access to this lesson

Please register or sign in to access the course content.

# Clear existing rules and set default policies
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established and related connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow outbound traffic from private network
iptables -A FORWARD -i eth0 -o eth1 -s -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow SSH access to the firewall itself
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP access to the firewall itself
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Allow DNS (UDP) traffic
iptables -A INPUT -p udp --dport 53 -j ACCEPT

# Allow NTP (UDP) traffic
iptables -A INPUT -p udp --dport 123 -j ACCEPT

# Allow ICMP (ping) traffic (optional)
iptables -A INPUT -p icmp -j ACCEPT

# Deny all other incoming traffic
iptables -A INPUT -j DROP

# Enable NAT for outbound traffic
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Save the rules to persist across reboots
iptables-save > /etc/iptables/rules.v4


  • This sample assumes a setup with two interfaces (eth0 for external, eth1 for internal).
  • It allows loopback traffic and established/related connections by default.
  • Outbound traffic from the private network ( is allowed.
  • Specific services (SSH, HTTP, DNS, NTP) are allowed to the firewall itself.
  • ICMP (ping) traffic is allowed (optional).
  • All other incoming traffic is denied.
  • NAT is enabled to handle outbound traffic from the private network.

Please remember to adapt the configuration to your specific network environment, adjust interface names, IP ranges, and service ports as needed. Additionally, always exercise caution when implementing firewall rules to avoid disrupting essential services.