Ubuntu - iptables - Implement a basic firewall

This scripts completely clears the firewall, and changes all policies to ACCEPT so that the system is complete opened up.

Issue the following command:

sudo vi /sharewiz/firewall/firewall-reset.sh

…add the following content to the file:

/sharewiz/firewall/firewall-reset.sh

#!/bin/bash
#
# Resets all firewall rules
echo "Stopping firewall and allowing everyone..."
#
# Modify the following settings as required:
#
IPTABLES=/sbin/iptables
#
# Reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#
# Reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#
# Reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
#
# Flush all the rules in the filter, nat and mangle tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# Erase all chains that are not default in filter, nat and mangle tables.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

Prevent being locked out with IP table changes.

Issue the following command:

sudo vi /etc/cron.d/firewall-reset-sharewiz

…add the following content to the file:

/etc/cron.d/firewall-reset-sharewiz

0,10,20,30,40,50 * * * * root /sharewiz/firewall/firewall-reset.sh

Issue the following command:

sudo chmod 755 /etc/cron.d/firewall-reset-sharewiz

Issue the following command:

sudo vi /etc/init.d/firewall-sharewiz

…add the following content to the file:

/etc/init.d/firewall-sharewiz

#!/bin/bash
#
# Start and stop the Firewall.
# Modify the following settings as required:
IPTABLES=/sbin/iptables
# Required-Start: $network
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
opts="start stop restart"
#if [[ $1 == start ]] ; then
case "$1" in
    start)
        /sharewiz/firewall/firewall.sh
;;
    stop)
        $IPTABLES --flush
        $IPTABLES -t nat --flush
        $IPTABLES -F -t mangle
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -P OUTPUT ACCEPT
        $IPTABLES -P FORWARD ACCEPT
        $IPTABLES -t nat -P POSTROUTING ACCEPT
        $IPTABLES -t nat -P PREROUTING ACCEPT
        $IPTABLES -t nat -P OUTPUT ACCEPT
;;
    restart)
        $IPTABLES --flush
        $IPTABLES -t nat --flush
        $IPTABLES -F -t mangle
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -P OUTPUT ACCEPT
        $IPTABLES -P FORWARD ACCEPT
        $IPTABLES -t nat -P POSTROUTING ACCEPT
        $IPTABLES -t nat -P PREROUTING ACCEPT
        $IPTABLES -t nat -P OUTPUT ACCEPT
        /sharewiz/firewall/firewall.sh
;;
esac
exit 0 

Issue the following command:

sudo chmod +x /etc/init.d/firewall-sharewiz

Issue the following command:

sudo update-rc.d firewall-sharewiz defaults

To have the firewall start before the network comes up use the following command instead:

sudo update-rc.d firewall-sharewiz start 20 2 3 4 5 . stop 99 0 1 6 .

Test using different testers:

sudo nmap -v -f 192.168.0.11
sudo nmap -v -sX 192.168.0.11
sudo nmap -v -sN 192.168.0.11
sudo hping3 -X 192.168.0.11

Test with the “Shield's Up” http://www.grc.com feature