Asus A6TC
Network
Server basics
Linky kámošov
Linky školy
Linky in-line
Na pobavenie
Iptables firewall in Ubuntu
The best and most common used way to allow only specific traffic in Linux is use of iptables. Iptables filtre data traffic at the 4'th RM OSI layer. Shown script filtres and allow incomming traffic only on specific ports (example 22 for ssh), accept all established connecions and all connections from loopback, all other traffic. Since Debian-like system doesn't support commands iptables-restore and iptables-save at boot time like Gentoo did, we need to create specific script which will execute at start of the machine.
Check iptables modul in kernel
If we wan't to use iptables for filtering data traffic, modul iptables has to be included in kernel. It is by default included in generic kernel, for compiling custom kernel don't forget to include it.
Show module iptables in kernel:
root@roleta:/# lsmod | grep iptable
iptable_filter 3840 1
ip_tables 14820 1 iptable_filter
root@roleta:/#
Create iptables rules
Use vi to create file called /etc/firewall/firewall.bash. Use man to get additional information to iptables command. In comments is explained, what traffic is allowed by which statement. At this point it is allowed to start firewall with command /etc/firewall/./firewall.bash, but it will dissapear after system restart. Therefore special start scrip need to be created.
File /etc/firewall/firewall.bash with iptables rules:
root@roleta:/# cat /etc/firewall/firewall.bash
#!/bin/bash
#
# Configurations
#
IPTABLES="/sbin/iptables"
#############################################################
# accept all from localhost
$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
# accept all previously established connections
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# ssh
$IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#samba
$IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
$IPTABLES -A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
$IPTABLES -A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
# dc++
$IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp --dport 441 -j ACCEPT
$IPTABLES -A INPUT -p udp -m state --state NEW -m udp --dport 441 -j ACCEPT
#vnc
$IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp --dport 5800 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT
# ftp / webserver related
$IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
#mysql
$IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
#ftp
$IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp --dport 65000 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 65010:65030 --syn -j ACCEPT
#ping
$IPTABLES -A INPUT -p icmp -m icmp -s 62.168.96.8 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp -s 213.215.116.106 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp -s 195.168.1.8 -j ACCEPT
# reject everything else
$IPTABLES -A INPUT -j REJECT --reject-with icmp-port-unreachable
root@roleta:/#
Create iptables rules for stopping firewall service
For stopping iptables traffic filtering, we need to flush iptables rules. For doing it use vi to create script called /etc/firewall/iptables_flush.
File /etc/firewall/iptables_flush with stopping ptables rules:
root@roleta:/# cat /etc/firewall/iptables_flush
#!/bin/sh
#
# rc.flush-iptables - Resets iptables to default values.
#
# Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#
# Configurations
#
IPTABLES="/sbin/iptables"
#
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
#
# flush all the rules in the filter and nat tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# erase all chains that's not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
root@roleta:/#
Startup script
As was sad before, debian-like systems doesn't support command iptables-restore at boot time. For starting firewall service at boot time startup script called /etc/init.d/firewall need to be created.
Startup script for firewall service:
root@roleta:/# cat /etc/init.d/firewall
#!/bin/bash
RETVAL=0
# To start the firewall
start() {
echo -n "Iptables rules creation: "
/etc/firewall/firewall.bash
RETVAL=0
}
# To stop the firewall
stop() {
echo -n "Removing all iptables rules: "
/etc/firewall/iptables_flush
RETVAL=0
}
case $1 in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
/sbin/iptables -L
/sbin/iptables -t nat -L
RETVAL=0
;;
*)
echo "Usage: firewall {start|stop|restart|status}"
RETVAL=1
esac
exit
root@roleta:/#
Add startup script to rc level
This service need to be started automaticaly at boot. Use command update-rc.d to do it.
Now the firewall will start at the boot:
root@roleta:/# update-rc.d firewall defaults
Adding system startup for /etc/init.d/firewall ...
/etc/rc0.d/K20firewall -> ../init.d/firewall
/etc/rc1.d/K20firewall -> ../init.d/firewall
/etc/rc6.d/K20firewall -> ../init.d/firewall
/etc/rc2.d/S20firewall -> ../init.d/firewall
/etc/rc3.d/S20firewall -> ../init.d/firewall
/etc/rc4.d/S20firewall -> ../init.d/firewall
/etc/rc5.d/S20firewall -> ../init.d/firewall
root@roleta:/#
Check firewall service
With following command we can check the service, start or restart it without any reboot. Check it after restart of ubuntu box to see if your rc changes occured.
Firewall restart and check commands:
root@roleta:/# /etc/init.d/firewall restart
Removing all iptables rules: Iptables rules creation: root@roleta:/#
root@roleta:/# /etc/init.d/firewall status
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- localhost anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:441
ACCEPT udp -- anywhere anywhere state NEW udp dpt:441
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5800
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5900
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:www
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:65000
ACCEPT tcp -- anywhere anywhere tcp dpts:65010:65030 flags:FIN,SYN,RST,ACK/SYN
ACCEPT icmp -- lisa.gtsi.sk anywhere icmp any
ACCEPT icmp -- athena.miquel.sk anywhere icmp any
ACCEPT icmp -- noc.nextra.sk anywhere icmp any
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@roleta:/# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- localhost anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:441
ACCEPT udp -- anywhere anywhere state NEW udp dpt:441
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5800
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5900
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:www
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:65000
ACCEPT tcp -- anywhere anywhere tcp dpts:65010:65030 flags:FIN,SYN,RST,ACK/SYN
ACCEPT icmp -- lisa.gtsi.sk anywhere icmp any
ACCEPT icmp -- athena.miquel.sk anywhere icmp any
ACCEPT icmp -- noc.nextra.sk anywhere icmp any
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@roleta:/#
root@roleta:/# nmap localhost
Starting Nmap 4.53 ( http://insecure.org ) at 2008-08-04 18:22 CEST
Interesting ports on localhost (127.0.0.1):
Not shown: 1708 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.346 seconds
root@roleta:/#