====== Systems - Media Server - Secure the Server - Setup a Firewall ======

====== Create a firewall-reset script ======

<file bash /sharewiz/firewall/firewall-reset.sh>
#!/bin/bash
#
# Resets all firewall rules

echo "Stopping firewall and allowing everyone..."

#
# Modify the following settings as required:
#

IPTABLES=/sbin/iptables

#
# Reset the default policies in the filter table.
#

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#
# Reset the default policies in the nat table.
#

$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

#
# Reset the default policies in the mangle table.
#

$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT

#
# Flush all the rules in the filter, nat and mangle tables.
#

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

#
# Erase all chains that are not default in filter, nat and mangle tables.
#

$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
</file>

<WRAP info>
**NOTE:** This resets all firewall rules.
</WRAP>

----

====== Create a firewall-reset script ======

<file bash /sharewiz/firewall/firewall.sh>

</file>

----

===== Create a systemd service unit file for the firewall =====

Create a file named **/etc/systemd/system/sharewiz-firewall.service**:

<file bash /etc/systemd/system/sharewiz-firewall.service>
[Unit]
Description=Runs the firewall.

[Service]
[Unit]
Description=Runs the firewall.

[Service]
ExecStart=/sharewiz/firewall/firewall.sh
ExecStop=/sharewiz/firewall/firewall-reset.sh
Type=oneshot
RemainAfterExit=yes

[Install]
#WantedBy=multi-user.target
WantedBy=default.target 
</file>

<WRAP info>
**NOTE:**  Ensure that the script that is going to be run is executable.

  * **ExecStart** - this is the script that is run when the service starts.
  * **ExecStop** - this is the script that is run when the service stops.
</WRAP>

----

===== Reload and enable the firewall.service unit =====

<code bash>
sudo chmod 644 /etc/systemd/system/sharewiz-firewall.service
sudo systemctl daemon-reload
sudo systemctl enable sharewiz-firewall.service
</code>

<WRAP info>
**NOTE:**  The **systemctl daemon-reload** command reloads all unit files, including the new unit file created for the firewall.
</WRAP>

----

===== Check firewall status =====

<code bash>
sudo iptables -L INPUT -n
</code>

returns:

<code>
Chain INPUT (policy DROP)
target     prot opt source               destination         
...
lots of rules...
</code>


<WRAP info>
**NOTE:**  This should display a lot of rules.
</WRAP>
 

----

===== References =====

https://wiki.archlinux.org/title/Systemd#Writing_unit_files