When you install iptables, there are no default configuration or startup scripts in Debian/Ubuntu. This page details two ways to create your own startup/configuration scripts.

The first one is to trigger the running of a script when a network interface comes up. The other way is to write an init script that gets run when the machine boots up.

Contents

Triggering the firewall on interface

This method uses the /etc/network/interfaces file to tell your machine that when an interface comes up, a script should be run, which will configure your firewall. The script will be in /etc/network/firewall.sh and is described below. Once you have created this script, and modified it as you require, edit the /etc/network/interfaces file and change the configuration for the external interface, eg: 

iface eth0 inet static
    address 172.16.0.2
    netmask 255.255.255.0
    gateway 172.16.0.1
    up /etc/network/firewall.sh eth0

This tells your machine to run the script whenever the eth0 interface comes up.

Firewall.sh script

Install this script in /etc/network/firewall.sh and add firewall rules to it from the bottom of this page, then make it executable: 

#!/bin/sh

if test "$1" == ""; then
        echo "Usage: $0 interface"
        exit 1
fi

IPT=/sbin/iptables
IF="$1"

# Temporarily set default policy to accept
$IPT -P INPUT ACCEPT
# Flush input chain
$IPT -F INPUT

# PUT YOUR FIREWALL RULES HERE

# Reject everything else
$IPT -A INPUT -i $IF -j REJECT

chmod +x /etc/network/firewall.sh

Starting/restarting the firewall

The firewall is started at boot time, when your network interface comes up, but it can be started manually by first running: 

ifconfig

Find the public interface and run the command below with eth0 replaced by the public interface: 

/etc/network/firewall.sh eth0

Since the first part of the firewall.sh script flushes the chain before rebuilding it, you simply need to rerun /etc/network/firewall.sh as explained above in order to restart the firewall.


Starting the firewall up on boot

This method creates an init script which gets run when you boot up. A slight advantage of this is that you can control the firewall like you control normal init scripts.

Create the init script

Place the script below in the file /etc/init.d/firewall after modifying it to suit your needs. Please note that in this script, the interface to apply the rules to are hardcoded at the top of the script, unlike the example above, where the interface name gets passed as a parameter to the script. 


#!/bin/sh
# Provides:          firewall
# Short-Description: Firewall script
# Description:       Sets up iptables rules

IPT=/sbin/iptables
IF="eth0"

d_start() {
        # Temporarily set default policy to accept
        $IPT -P INPUT ACCEPT
        # Flush input chain
        $IPT -F INPUT

        # PUT YOUR FIREWALL RULES HERE
        
        # Reject everything else
        $IPT -P INPUT DROP
}

d_stop() {
        # Set default policy to accept, and flush
        $IPT -P INPUT ACCEPT
        $IPT -F INPUT
}

case "$1" in
        start)
                echo -n "Starting firewall"
                d_start
                echo "."
        ;;
        stop)
                echo -n "Stopping firewall"
                d_stop
                echo "."
        ;;
        restart)
                echo -n "Restarting firewall"
                d_stop
                d_start
                echo "."
        ;;
        *)
                echo "Usage: $0 {start|stop|restart}" >&2
                exit 3
        ;;
esac

exit 0

Now, we need the firewall to start up automatically on boot. For this, we can just use the update-rc.d script: 

 update-rc.d firewall defaults

The firewall will now be started up on bootup.

Manually starting/restarting/stopping the firewall

Since the script we are using is a standard init script, you can start, stop, and restart it like any other service: 

 /etc/init.d/firewall start
 /etc/init.d/firewall stop
 /etc/init.d/firewall restart

Writing the firewall rules

All that remains now is to write the actual firewall rules. A good beginning set is given below - place these lines in your script at the point indicated: 

# Allow related packets
$IPT -A INPUT -i $IF -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept all traffic from the local network
$IPT -A INPUT -i lo -s 127.0.0.1/8 -j ACCEPT
$IPT -A INPUT -i $IF -s <b>1.2.3.4/24</b> -j ACCEPT

# Open specific ports to the world
# ssh
$IPT -A INPUT -i $IF -m state --state NEW -p tcp --syn --destination-port 22 -j ACCEPT
# mail
$IPT -A INPUT -i $IF -p tcp --destination-port 25 -j ACCEPT
# http
$IPT -A INPUT -i $IF -p tcp --destination-port 80 -j ACCEPT
# dns (if you run a dns server) (this is an example of a UDP server)
$IPT -A INPUT -i $IF -p udp --destination-port 53 -j ACCEPT

# limit icmp
$IPT -A INPUT -i $IF -p icmp ! -f -m limit --limit 100/second --limit-burst 50 -j ACCEPT
$IPT -A INPUT -i $IF -p icmp -j DROP


Possible problems

ICMP is dropped from hosts other than our own. Add a line to allow incoming pings if required: 

$IPT -A INPUT -i $IF -p icmp --icmp-type echo-request -j ACCEPT
Retrieved from "http://wiki.clug.org.za/wiki/Firewall_your_Debian/Ubuntu_host"
This page was last modified on 30 March 2008, at 14:56. This page has been accessed 2,919 times.
  
Powered by MediaWiki
Copyright © 1999-2009, Cape Linux Users Group | All contents are under GNU Free Documentation Licence | For all queries, join our mailing lists!