logo

Maycke's IT Guides

 
	  
############################ Firewall using IPTABLES scripts ############################

##### basic FIREWALL configuration:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# in this configuration example, the firewall server will be the gateway for the devices 
#  connected to an internal network
# the firewall server will have 2 network cards, one connected to the outside network (in 
#  brige mode, if you are using softwares like virtualbox) and other with this static IPv4
#  internal network configuration: 10.1.0.3/24


#### configure the internal network card:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# if you need to install a text editor:
apt install nano                                 

# check the name of the internal network card:
ip a

### edit the .yaml file at:
cd /etc/netplan
ls -l
nano file_name
## switch the dhcp4 line of the internal network card to 'false':
dhcp4: false
## add to that network card the following IP line, aligned with the dhcp4 line, just below it:
addresses: [10.1.0.3/24]         #indentation is important here!
# save the file

### apply the configuration:
netplan apply                    #if you get an error, use 'netplan try' first, then apply

#### enable routing for IPv4:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# remove the comment 'net.ipv4.ip_forward=1' at:
nano /etc/sysctl.conf

## apply the previous configuration to the system (rebooting it would also work):
sysctl --system

#### create the firewall through implementing scripts using iptables:~~~~

## install iptables:
apt install iptables

## create the directory:
mkdir /etc/firewall

## copy these scripts to the directory created: off.sh, nat.sh, filter.sh
# you can find the content of the scripts in the EXTRAS section, at the end of this guide!
#  (it is always recommended to check a script before you run it!!!)

## make them executable:
chmod 700 /etc/firewall/off.sh 
chmod 700 /etc/firewall/nat.sh 
chmod 700 /etc/firewall/filter.sh

## copy the firewall.sh script to the directory /etc/init.d
# you can find the content of this script in the EXTRAS section, at the end of this guide!

## make it executable:
chmod 700 /etc/init.d/firewall.sh

## configure the firewall.sh script to be always loaded when the server starts:
update-rc.d firewall.sh defaults

## to (re)start the firewall (to stop it, replace the 'restart' for 'stop'):
/etc/init.d/firewall.sh restart

# (optional) to check if the firewall rules were correctly loaded:
iptables -L -n -v

# the current scripts configuration (FORWARD/INPUT/NAT) allow HTTP, HTTPS and DNS 
#  traffic originating from the protected internal network, masking the internal
#  IPs through NAT. It also redirects all the incoming HTTP traffic to the specific
#  web-server. It allows ping to/from anywhere and SSH from anywhere to the firewall 
#  server, it blocks everything else. The OUTPUT filter allows everything.

## (optional test) after doing the configuration on the clients, you may want to check
##  the packets traffic on the network cards of the firewall. To view the ping traffic, 
##  for example, you can use the tcpdump command:
# prerouting:
tcpdump -i enp0s8 -n icmp          #assuming enp0s8 is the internal network card
# postrouting:
tcpdump -i enp0s3 -n icmp          #assuming enp0s3 is the external (bridge) network card
#########################################################################################

##### basic WEB-SERVER and DESKTOP clients configuration:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# in this example it will be explained how to configure a particular basic web-server and 
#  a desktop clients that are part of the protected internal network, both machines have
#  one network card each.

#### configure the DESKTOP client:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# in a ubuntu 22.04 desktop, for example, go to:
Settings / Network / Wired config icon / IPv4
# and fill in these information:
IPV4 Method: Manual
Addresses: 10.1.0.2/24
Mask: 255.255.255.0
Gateway: 10.1.0.3
DNS: 8.8.8.8
# finally, click on 'Apply'

#### configure the WEB-SERVER client:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

## preparing a basic apache web-server for testing purposes:
apt install nano apache2
# (optional) install net-tools
apt install net-tools

## logged in as root on this web-server, edit the .yaml file at:
cd /etc/netplan
ls -la
nano file-name
# in the dhcp4 line, switch the 'yes' to 'no'
# add the following lines, aligned with dhcp4, just below it:
addresses: [10.1.0.1/24]
gateway4: 10.1.0.3
# save the file

## apply the configuration:
netplan apply               #if you get an error, use 'netplan try' first, then apply

# the default apache page should be up and reachable

# (optional) use netstat to verify if the service is on-line:
netstat -ltunap
#########################################################################################

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ EXTRAS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# scripts examples:

#**** off.sh SCRIPT START----------------------------
#!/bin/sh
# save this script at: /etc/firewall/off.sh

iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
#**** off.sh SCRIPT END------------------------------

#**** nat.sh SCRIPT START----------------------------
#!/bin/sh
# save this script at: /etc/firewall/nat.sh
########################
# PRE-ROUTING #
########################
CHAIN="PREROUTING"
ADD="iptables -t nat -A $CHAIN"

# initialization
iptables -t nat -P $CHAIN ACCEPT

# rules
$ADD -i enp0s3 -p tcp --dport 80 -j DNAT --to 10.1.0.1 #site http

########################
# POST-ROUTING #
########################
CHAIN="POSTROUTING"
ADD="iptables -t nat -A $CHAIN"

# initialization
iptables -t nat -P $CHAIN ACCEPT

# rules
$ADD -o enp0s3 -s 10.1.0.0/24 -j MASQUERADE
#**** nat.sh SCRIPT END------------------------------

#**** filter.sh SCRIPT START-------------------------
#!/bin/sh
# save this script at: /etc/firewall/filter.sh
########################
# FORWARD # through the firewall
########################
CHAIN="FORWARD"
ADD="iptables -t filter -A $CHAIN"

# initialization
iptables -t filter -P $CHAIN DROP
$ADD -m state --state ESTABLISHED,RELATED -j ACCEPT
$ADD -m state --state INVALID -j DROP
$ADD -m state --state UNTRACKED -j DROP

# ping
$ADD -p icmp --icmp-type ping -j ACCEPT

# rules for traffic originating from the internal network, protected by the firewall
$ADD -p udp --dport 53 -s 10.1.0.0/24 -j ACCEPT
$ADD -p tcp --dport 80 -s 10.1.0.0/24 -j ACCEPT
$ADD -p tcp --dport 443 -s 10.1.0.0/24 -j ACCEPT

# rule to redirect traffic to the web-server
$ADD -p tcp --dport 80 -d 10.1.0.1 -j ACCEPT

########################
# INPUT # to the firewall (destination)
########################
CHAIN="INPUT"
ADD="iptables -t filter -A $CHAIN"

# initialization
iptables -t filter -P $CHAIN DROP
$ADD -m state --state ESTABLISHED,RELATED -j ACCEPT
$ADD -m state --state INVALID -j DROP
$ADD -m state --state UNTRACKED -j DROP

# loopback
$ADD -i lo -j ACCEPT

# ping
$ADD -p icmp --icmp-type ping -j ACCEPT

# rules
$ADD -p tcp --dport ssh -j ACCEPT 

########################
# OUTPUT # from the firewall (source)
########################
CHAIN="OUTPUT"
ADD="iptables -t filter -A $CHAIN"

# initialization
iptables -t filter -P $CHAIN ACCEPT
$ADD -m state --state ESTABLISHED,RELATED -j ACCEPT
$ADD -m state --state INVALID -j DROP
$ADD -m state --state UNTRACKED -j DROP
#**** filter.sh SCRIPT END---------------------------

#**** firewall.sh SCRIPT START-----------------------
#!/bin/sh
# save this script at: /etc/init.d/firewall.sh
### BEGIN INIT INFO
# Provides: firewall.sh
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 1 6
# Short-Description: Start firewall.sh at boot time
# Description: Enable service provided by firewall.sh.
### END INIT INFO
#

# start/stop iptables default rules
DEFAULT="/etc/firewall"

echo -n "FIREWALL: "

case "$1" in

start)
echo "-- Loading rule..."
echo "-- turning routing off..."
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
echo "-- deleting rules..."
$DEFAULT/off.sh
echo "-- loading filter..."
$DEFAULT/filter.sh
echo "-- loading nat..."
$DEFAULT/nat.sh
echo "-- turning routing on..."
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
echo "-- end of start!"
;;

stop)
echo "Deleting rules..."
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
$DEFAULT/off.sh
;;

restart)
echo "Reloading rules"
$0 start
;;

*)
echo "Syntax error"
echo "Use: $0 {start|stop|restart}"
exit 1
;;

esac

exit 0
#**** firewall.sh SCRIPT END-------------------------
#########################################################################################

~~~~~~~~~~Firewall Script:~~~~~~~~~~

ATTENTION: Always read a script before you run it!!!


To run a basic Firewall configuration script, run the following command line as ROOT in your server's terminal: 

     wget -nc https://www.maycke.com.br/guides/raw/firewall-scripts.sh && chmod 700 firewall-scripts.sh && ./firewall-scripts.sh && rm firewall-scripts.sh
#########################################################################################

Maycke's IT Guides by Maycke is licensed under CC BY-SA 4.0CreativeCommonsAttributionShareAlike 📬 Contact