Higher Logic notes on screwing with tech…

24Jun/114

Simple host-based firewall Ubuntu style

Tired of pesky port scans? Just want to deploy a firewall for the heck of it? Like that added layer of protection? Whatever your reason lets do a simple one. Here a version where it includes a persistent ruleset and integration with your Ubuntu startup.

For me personally I tend to deploy iptables firewall for simple host-based firewall, e.g. just blocking stuff and making sure no one tries too many things on your server. For something more complicated I prefer to use shorewall (thats another write up for another day :)

Show me the bacon

New Script: /etc/init.d/firewall (something simple for start stop and reload)
This is a pretty simple script all it needs to run is the actual firewall rules in "/etc/default/firewall".


#! /bin/sh
### BEGIN INIT INFO
# Provides: Firewall
# Required-Start: $network
# Required-Stop:
# Default-Start:
# Default-Stop:
# Short-Description: Start/stop Firewall
### END INIT INFO

test -r /etc/default/firewall || exit 0

case "$1" in
start)
echo -n "Starting Firewall Services"
/sbin/iptables-restore < /etc/default/firewall
;;
stop)
echo -n "Stopping Clearing Firewall Rules"
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
;;
restart|reload)
echo -n "Restarting Firewall Services"
/sbin/iptables-restore < /etc/default/firewall
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop|restart|reload}"
exit 1
esac

echo
exit 0

The actual firewall rules, this one is up to you but here's a simple version allowing only DNS and WEB traffic on the inbound and everything on the outbound. Store it under "/etc/default/firewall"

# Generated by iptables-save on Mon Feb 7 19:05:46 2011
*nat
:PREROUTING ACCEPT [2:307]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Feb 7 19:05:46 2011
# Generated by iptables-save on Mon Feb 7 19:05:46 2011
*mangle
:PREROUTING ACCEPT [48:3929]
:INPUT ACCEPT [48:3929]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [22:2312]
:POSTROUTING ACCEPT [22:2312]
COMMIT
# Completed on Mon Feb 7 19:05:46 2011
# Generated by iptables-save on Mon Feb 7 19:05:46 2011
*filter
:INPUT DROP [2:513]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:FILTER - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
COMMIT
# Completed on Mon Feb 7 19:05:46 2011

Now apply the varnish


# Make it executable
chmod +x /etc/init.d/firewall
# Add it to the startup levels
sudo update-rc.d firewall defaults

Kick the tire


# If you are at the console and aren't afraid of your firewall rules locking you out
sudo /etc/init.d/firewall reload
sudo iptables -L -n # check that its loaded
# If you are over a ssh session and you are afraid of being dropped, this way you only get dropped for 10 seconds if you stuff up :)
screen
sudo /etc/init.d/firewall reload && sleep 10 && sudo /etc/init.d/firewall stop

   
css.php