Differences

This shows you the differences between two versions of the page.

--- iptables:implement_a_basic_firewall [2016/10/07 23:29] – peter
+++ iptables:implement_a_basic_firewall [2019/11/29 17:37] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== IPTables - Implement a basic firewall ======
-===== Create the firewall reset script =====
-This scripts completely clears the firewall, and changes all policies to ACCEPT so that the system is complete opened up.
-Issue the following command:
-<code bash>
-sudo vi /sharewiz/firewall/firewall-reset.sh
-</code>
-…add the following content to the file:
-<file bash /sharewiz/firewall/firewall-reset.sh>
-#!/bin/bash
-#
-# Resets all firewall rules
-echo "Stopping firewall and allowing everyone..."
-#
-# Modify the following settings as required:
-#
-IPTABLES=/sbin/iptables
-#
-# Reset the default policies in the filter table.
-#
-$IPTABLES -P INPUT ACCEPT
-$IPTABLES -P FORWARD ACCEPT
-$IPTABLES -P OUTPUT ACCEPT
-#
-# Reset the default policies in the nat table.
-#
-$IPTABLES -t nat -P PREROUTING ACCEPT
-$IPTABLES -t nat -P POSTROUTING ACCEPT
-$IPTABLES -t nat -P OUTPUT ACCEPT
-#
-# Reset the default policies in the mangle table.
-#
-$IPTABLES -t mangle -P PREROUTING ACCEPT
-$IPTABLES -t mangle -P POSTROUTING ACCEPT
-$IPTABLES -t mangle -P INPUT ACCEPT
-$IPTABLES -t mangle -P OUTPUT ACCEPT
-$IPTABLES -t mangle -P FORWARD ACCEPT
-#
-# Flush all the rules in the filter, nat and mangle tables.
-#
-$IPTABLES -F
-$IPTABLES -t nat -F
-$IPTABLES -t mangle -F
-#
-# Erase all chains that are not default in filter, nat and mangle tables.
-#
-$IPTABLES -X
-$IPTABLES -t nat -X
-$IPTABLES -t mangle -X
-</file>
-===== Setup a failsafe when initially setting up the firewall =====
-Prevent being locked out with IP table changes.
-Issue the following command:
-<code bash>
-sudo vi /etc/cron.d/firewall-reset-sharewiz
-</code>
-…add the following content to the file:
-<file bash /etc/cron.d/firewall-reset-sharewiz>
-,10,20,30,40,50 * * * * root /sharewiz/firewall/firewall-reset.sh
-</file>
-===== Make the firewall reset cron job executable =====
-Issue the following command:
-<code bash>
-sudo chmod 755 /etc/cron.d/firewall-reset-sharewiz
-</code>
-===== Create the firewall start / stop script =====
-Issue the following command:
-<code bash>
-sudo vi /etc/init.d/firewall-sharewiz
-</code>
-…add the following content to the file:
-<file bash /etc/init.d/firewall-sharewiz>
-#!/bin/bash
-#
-# Start and stop the Firewall.
-# Modify the following settings as required:
-IPTABLES=/sbin/iptables
-# Required-Start: $network
-# Required-Stop:
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-### END INIT INFO
-opts="start stop restart"
-#if [[ $1 == start ]] ; then
-case "$1" in
-    start)
-        /sharewiz/firewall/firewall.sh
-;;
-    stop)
-        $IPTABLES --flush
-        $IPTABLES -t nat --flush
-        $IPTABLES -F -t mangle
-        $IPTABLES -P INPUT ACCEPT
-        $IPTABLES -P OUTPUT ACCEPT
-        $IPTABLES -P FORWARD ACCEPT
-        $IPTABLES -t nat -P POSTROUTING ACCEPT
-        $IPTABLES -t nat -P PREROUTING ACCEPT
-        $IPTABLES -t nat -P OUTPUT ACCEPT
-;;
-    restart)
-        $IPTABLES --flush
-        $IPTABLES -t nat --flush
-        $IPTABLES -F -t mangle
-        $IPTABLES -P INPUT ACCEPT
-        $IPTABLES -P OUTPUT ACCEPT
-        $IPTABLES -P FORWARD ACCEPT
-        $IPTABLES -t nat -P POSTROUTING ACCEPT
-        $IPTABLES -t nat -P PREROUTING ACCEPT
-        $IPTABLES -t nat -P OUTPUT ACCEPT
-        /sharewiz/firewall/firewall.sh
-;;
-esac
-exit 0
-</file>
-===== Make the firewall script executable =====
-Issue the following command:
-<code bash>
-sudo chmod +x /etc/init.d/firewall-sharewiz
-</code>
-===== Install the script to start and stop automatically on system boot and shutdown =====
-Issue the following command:
-<code bash>
-sudo update-rc.d firewall-sharewiz defaults
-</code>
-To have the firewall start before the network comes up use the following command instead:
-<code bash>
-sudo update-rc.d firewall-sharewiz start 20 2 3 4 5 . stop 99 0 1 6 .
-</code>