Table of Contents

Ubuntu - iptables - Implement a basic firewall

Create the firewall reset script

This scripts completely clears the firewall, and changes all policies to ACCEPT so that the system is complete opened up.

Issue the following command:

sudo vi /sharewiz/firewall/firewall-reset.sh

…add the following content to the file:

/sharewiz/firewall/firewall-reset.sh
#!/bin/bash
#
# Resets all firewall rules
echo "Stopping firewall and allowing everyone..."
#
# Modify the following settings as required:
#
IPTABLES=/sbin/iptables
#
# Reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#
# Reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#
# Reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
#
# Flush all the rules in the filter, nat and mangle tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# Erase all chains that are not default in filter, nat and mangle tables.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

Setup a failsafe when initially setting up the firewall

Prevent being locked out with IP table changes.

Issue the following command:

sudo vi /etc/cron.d/firewall-reset-sharewiz

…add the following content to the file:

/etc/cron.d/firewall-reset-sharewiz
0,10,20,30,40,50 * * * * root /sharewiz/firewall/firewall-reset.sh

Make the firewall reset cron job executable

Issue the following command:

sudo chmod 755 /etc/cron.d/firewall-reset-sharewiz

Create the firewall start / stop script

Issue the following command:

sudo vi /etc/init.d/firewall-sharewiz

…add the following content to the file:

/etc/init.d/firewall-sharewiz
#!/bin/bash
#
# Start and stop the Firewall.
# Modify the following settings as required:
IPTABLES=/sbin/iptables
# Required-Start: $network
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
opts="start stop restart"
#if [[ $1 == start ]] ; then
case "$1" in
    start)
        /sharewiz/firewall/firewall.sh
;;
    stop)
        $IPTABLES --flush
        $IPTABLES -t nat --flush
        $IPTABLES -F -t mangle
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -P OUTPUT ACCEPT
        $IPTABLES -P FORWARD ACCEPT
        $IPTABLES -t nat -P POSTROUTING ACCEPT
        $IPTABLES -t nat -P PREROUTING ACCEPT
        $IPTABLES -t nat -P OUTPUT ACCEPT
;;
    restart)
        $IPTABLES --flush
        $IPTABLES -t nat --flush
        $IPTABLES -F -t mangle
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -P OUTPUT ACCEPT
        $IPTABLES -P FORWARD ACCEPT
        $IPTABLES -t nat -P POSTROUTING ACCEPT
        $IPTABLES -t nat -P PREROUTING ACCEPT
        $IPTABLES -t nat -P OUTPUT ACCEPT
        /sharewiz/firewall/firewall.sh
;;
esac
exit 0 

Make the firewall script executable

Issue the following command:

sudo chmod +x /etc/init.d/firewall-sharewiz

Install the script to start and stop automatically on system boot and shutdown

Issue the following command:

sudo update-rc.d firewall-sharewiz defaults

To have the firewall start before the network comes up use the following command instead:

sudo update-rc.d firewall-sharewiz start 20 2 3 4 5 . stop 99 0 1 6 .

Test firewall

Test using different testers:

sudo nmap -v -f 192.168.0.11
sudo nmap -v -sX 192.168.0.11
sudo nmap -v -sN 192.168.0.11
sudo hping3 -X 192.168.0.11

Test with the “Shield's Up” http://www.grc.com feature