ubuntu:iptables:implement_a_basic_firewall
Table of Contents
Ubuntu - iptables - Implement a basic firewall
Create the firewall reset script
This scripts completely clears the firewall, and changes all policies to ACCEPT so that the system is complete opened up.
Issue the following command:
sudo vi /sharewiz/firewall/firewall-reset.sh
…add the following content to the file:
- /sharewiz/firewall/firewall-reset.sh
#!/bin/bash # # Resets all firewall rules echo "Stopping firewall and allowing everyone..." # # Modify the following settings as required: # IPTABLES=/sbin/iptables # # Reset the default policies in the filter table. # $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT # # Reset the default policies in the nat table. # $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # # Reset the default policies in the mangle table. # $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P POSTROUTING ACCEPT $IPTABLES -t mangle -P INPUT ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT $IPTABLES -t mangle -P FORWARD ACCEPT # # Flush all the rules in the filter, nat and mangle tables. # $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F # # Erase all chains that are not default in filter, nat and mangle tables. # $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X
Setup a failsafe when initially setting up the firewall
Prevent being locked out with IP table changes.
Issue the following command:
sudo vi /etc/cron.d/firewall-reset-sharewiz
…add the following content to the file:
- /etc/cron.d/firewall-reset-sharewiz
0,10,20,30,40,50 * * * * root /sharewiz/firewall/firewall-reset.sh
Make the firewall reset cron job executable
Issue the following command:
sudo chmod 755 /etc/cron.d/firewall-reset-sharewiz
Create the firewall start / stop script
Issue the following command:
sudo vi /etc/init.d/firewall-sharewiz
…add the following content to the file:
- /etc/init.d/firewall-sharewiz
#!/bin/bash # # Start and stop the Firewall. # Modify the following settings as required: IPTABLES=/sbin/iptables # Required-Start: $network # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 ### END INIT INFO opts="start stop restart" #if [[ $1 == start ]] ; then case "$1" in start) /sharewiz/firewall/firewall.sh ;; stop) $IPTABLES --flush $IPTABLES -t nat --flush $IPTABLES -F -t mangle $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT ;; restart) $IPTABLES --flush $IPTABLES -t nat --flush $IPTABLES -F -t mangle $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT /sharewiz/firewall/firewall.sh ;; esac exit 0
Make the firewall script executable
Issue the following command:
sudo chmod +x /etc/init.d/firewall-sharewiz
Install the script to start and stop automatically on system boot and shutdown
Issue the following command:
sudo update-rc.d firewall-sharewiz defaults
To have the firewall start before the network comes up use the following command instead:
sudo update-rc.d firewall-sharewiz start 20 2 3 4 5 . stop 99 0 1 6 .
Test firewall
Test using different testers:
sudo nmap -v -f 192.168.0.11 sudo nmap -v -sX 192.168.0.11 sudo nmap -v -sN 192.168.0.11 sudo hping3 -X 192.168.0.11
Test with the “Shield's Up” http://www.grc.com feature
ubuntu/iptables/implement_a_basic_firewall.txt · Last modified: 2020/07/15 09:30 by 127.0.0.1