====== Ubuntu - iptables - Implement a basic firewall ======
===== Create the firewall reset script =====
This scripts completely clears the firewall, and changes all policies to ACCEPT so that the system is complete opened up.
Issue the following command:
sudo vi /sharewiz/firewall/firewall-reset.sh
…add the following content to the file:
#!/bin/bash
#
# Resets all firewall rules
echo "Stopping firewall and allowing everyone..."
#
# Modify the following settings as required:
#
IPTABLES=/sbin/iptables
#
# Reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#
# Reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#
# Reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
#
# Flush all the rules in the filter, nat and mangle tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# Erase all chains that are not default in filter, nat and mangle tables.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
----
===== Setup a failsafe when initially setting up the firewall =====
Prevent being locked out with IP table changes.
Issue the following command:
sudo vi /etc/cron.d/firewall-reset-sharewiz
…add the following content to the file:
0,10,20,30,40,50 * * * * root /sharewiz/firewall/firewall-reset.sh
----
===== Make the firewall reset cron job executable =====
Issue the following command:
sudo chmod 755 /etc/cron.d/firewall-reset-sharewiz
----
===== Create the firewall start / stop script =====
Issue the following command:
sudo vi /etc/init.d/firewall-sharewiz
…add the following content to the file:
#!/bin/bash
#
# Start and stop the Firewall.
# Modify the following settings as required:
IPTABLES=/sbin/iptables
# Required-Start: $network
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
opts="start stop restart"
#if [[ $1 == start ]] ; then
case "$1" in
start)
/sharewiz/firewall/firewall.sh
;;
stop)
$IPTABLES --flush
$IPTABLES -t nat --flush
$IPTABLES -F -t mangle
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
;;
restart)
$IPTABLES --flush
$IPTABLES -t nat --flush
$IPTABLES -F -t mangle
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
/sharewiz/firewall/firewall.sh
;;
esac
exit 0
----
===== Make the firewall script executable =====
Issue the following command:
sudo chmod +x /etc/init.d/firewall-sharewiz
----
===== Install the script to start and stop automatically on system boot and shutdown =====
Issue the following command:
sudo update-rc.d firewall-sharewiz defaults
To have the firewall start before the network comes up use the following command instead:
sudo update-rc.d firewall-sharewiz start 20 2 3 4 5 . stop 99 0 1 6 .
----
===== Test firewall =====
Test using different testers:
sudo nmap -v -f 192.168.0.11
sudo nmap -v -sX 192.168.0.11
sudo nmap -v -sN 192.168.0.11
sudo hping3 -X 192.168.0.11
Test with the "Shield's Up" http://www.grc.com feature