iptables Notes
This document briefly outlines some important points about the iptables firewall, including the configuration files used on Alpine Linux.
Background Information
I have a set of lecture videos explaining how to work with iptables:
- Introduction to iptables
- iptables: Packet Processing
- iptables: Tables and Chains
- iptables: Rules and Targets
- Working with iptables
Alpine Linux iptables Services
In Alpine Linux, the iptables and ip6tables packages provide firewall support. By default, the iptables package usually gets installed, but the ip6tables package might need to be added manually. Once the packages are added, it is necessary to ensure the firewall services are stopped before trying to edit the rules:
rc-service iptables stop
rc-service ip6tables stop
The save locations for firewall rules can be set in /etc/conf.d/iptables and /etc/conf.d/ip6tables, but by default, /etc/iptables/rules-save and /etc/iptables/rules6-save are used. CAUTION: the currently loaded iptables/ip6tables rules are saved whenever the corresponding service (iptables or ip6tables) is stopped.
Here is an extremely restrictive set of firewall rules that can be used for both iptables and ip6tables as a starting point:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
Now start both services and add them to the default runlevel:
rc-service iptables start
rc-service ip6tables start
rc-update add iptables
rc-update add ip6tables
Editing the Rules
For our purposes, we can simply stop the firewall and edit the rules files in place.