Michael Kolb Fulda» Web Engineering http://www.michael-kolb.co.uk Web Engineering Mon, 01 Mar 2010 05:58:27 +0000 http://wordpress.org/?v=2.9.1 en hourly 1 Scripting a firewall with iptables http://www.michael-kolb.co.uk/linuxdaemons/scripting-a-firewall-with-iptables/ http://www.michael-kolb.co.uk/linuxdaemons/scripting-a-firewall-with-iptables/#comments Wed, 26 Nov 2008 17:42:59 +0000 mk_michael http://www.michael-kolb.co.uk/?p=61 IPTables is a text based frontend for the ipchains kernel module. The ipchains support is compiled into most kernels of todays distributions. With iptables you don’t have to use a graphical tool. So it’s very suitable for scritpting.

First thing to do is installing neccessary packages, for Ubuntu / Debian:
apt-get update
apt-get install iptables

When the package is installed, create a file inside /etc/init.d/ called iptables (or whatever you want). Copy paste the lines below into.


########################################
#!/bin/sh
# iptables start/stop script
# location /etc/init.d/iptables
########################################

PATH=/bin:/sbin:/usr/bin:/usr/sbin
TABLEBIN=/sbin/iptables

#
# INPUT - SERVICES
#
IN_TCP_SERVICES="80 443 25 110 995 21" # http https smtp pop3 SSL/TLS ftp
IN_UDP_SERVICES=""

#
# OUTPUT - SERVICES
#
OUT_TCP_SERVICES="80 443 25 43 2703 21" # http https smtp whois razor ftp
OUT_UDP_SERVICES="53 123" # DNS ntp

if ! [ -x $TABLEBIN ]; then
echo "IPTABLES does not exists"
exit 0
fi

With the INPUT/OUTPUT section, you’re able to define your services like http or smtp for remote access. Chmod file to 755 and ensure root to be the owner.


chmod 755 /etc/init.d/iptables
chown root:root /etc/init.d/iptables

Check and try the script. If iptables isn’t installed correctly, you wil get an error statement. Next step, calling iptables statements. Append following lines into the iptables script:


#
# start firewall
#
fw_start ()
{
# deny all
$TABLEBIN -P INPUT DROP
$TABLEBIN -P OUTPUT DROP
# common
$TABLEBIN -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$TABLEBIN -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow mysql from special IP adresses
$TABLEBIN -A INPUT -p tcp -s xxx.xxx.xxx.xxx --dport 3306 -j ACCEPT # MYSQL for clients
$TABLEBIN -A OUTPUT -p tcp -s xxx.xxx.xxx.xxx --dport 3306 -j ACCEPT # MYSQL for clients

# allow always
$TABLEBIN -A INPUT -p tcp --dport 2222 -j ACCEPT # ssh on port 2233
$TABLEBIN -A INPUT -i lo -j ACCEPT
$TABLEBIN -I INPUT -s 127.0.0.1 -j ACCEPT
$TABLEBIN -I OUTPUT -s 127.0.0.1 -j ACCEPT

# deny special bad ip adresses
$TABLEBIN -I INPUT -s xxx.xxx.xxx.xxx -j DROP # deny, because of ...
$TABLEBIN -I INPUT -s xxx.xxx.xxx.xxx -j DROP # deny, because of ...
$TABLEBIN -I INPUT -s xxx.xxx.xxx.xxx -j DROP # deny, because of ...

# INPUTS
if [ -n "$IN_TCP_SERVICES" ] ; then
for PORT in $IN_TCP_SERVICES; do
$TABLEBIN -A INPUT -p tcp --dport ${PORT} -j ACCEPT
done
fi

if [ -n "$IN_UDP_SERVICES" ] ; then
for PORT in $IN_UDP_SERVICES; do
$TABLEBIN -A INPUT -p udp --dport ${PORT} -j ACCEPT
done
fi

# OUTPUTS
if [ -n "$OUT_TCP_SERVICES" ] ; then
for PORT in $OUT_TCP_SERVICES; do
$TABLEBIN -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
done
fi

if [ -n "$OUT_UDP_SERVICES" ] ; then
for PORT in $OUT_UDP_SERVICES; do
$TABLEBIN -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
done
fi
}

The ssh port is binded to another one, because of improving security.
The last step to complete the script is the stopping call:


#
# stop firewall
#
fw_stop ()
{
$TABLEBIN -F
$TABLEBIN -t nat -F
$TABLEBIN -t mangle -F
$TABLEBIN -P INPUT ACCEPT
$TABLEBIN -P FORWARD ACCEPT
$TABLEBIN -P OUTPUT ACCEPT
}

case "$1" in
start)
echo -n "starting firewall.."
fw_stop
fw_start
echo "done."
;;
stop)
echo -n "stopping firewall.."
fw_stop
echo "done."
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
;;
esac
exit 0

Now you start your iptables script with
/etc/init.d/iptables start
/etc/init.d/iptables stop

To start the script on booting process, put into the runlevel configuration (Debian/Ubuntu):


update-rc.d timWall start 40 S . stop 89 0 6 .

Be careful!! Test it before manually, because you could block yourself out of the system. Firewall architecture with a DMZ:

Firewall with DMZ
Source: http://www.basic-security.com/MEDIA/US/RESEAU-DMZ.jpg

Note: There is a file embedded within this post, please visit this post to download the file.

Useful links:

]]> http://www.michael-kolb.co.uk/linuxdaemons/scripting-a-firewall-with-iptables/feed/ 2