A great firewall in Ubuntu Linux Server is IPTABLES. Here is a procedure to make your firewall rules available every time the server is started.
IPTables firewall rules management script
Github https://github.com/garanet/iptables_script.git
Create the startup file in /etc/init.d/ and name it firewall.sh.
~:$ sudo vi /etc/init.d/firewall.shPaste the following code, save the file, and exit.
#!/bin/bash
# www.garanet.net
RETVAL=0
# To start the firewall
start() {
echo -n "IPTables rules creation: "
/usr/local/bin/iptables.sh
RETVAL=0
}
# To stop the firewall
stop() {
echo -n "Removing all iptables rules: "
/sbin/iptables -F
RETVAL=0
}
case $1 in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
/sbin/iptables -L
/sbin/iptables -t nat -L
RETVAL=0
;;
*)
echo "Usage: firewall {start|stop|restart|status}"
RETVAL=1
esac
exit
Assign execute privileges to the newly created file:
:$ sudo chmod a+x /etc/init.d/firewall.shNow you can create the iptables rules file
sudo vi /usr/local/bin/iptables.shPaste the following code, customize the rules as you like, save the file, and exit.
Change ‘XXX.XXX.XXX.XXX’ with the external IP authorized to access the services of your server.
#!/bin/bash
# www.garanet.net
# No spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi
# No icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#load some modules you may need
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
# Remove all rules and chains
iptables -F
iptables -X
# ALLOW NAGIOS
sudo iptables -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 5666 -j ACCEPT
sudo iptables -A INPUT -s XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5666 -j ACCEPT
# ALLOW FTP FILTERED
sudo iptables -A INPUT -s XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 21 -j ACCEPT
sudo iptables -A INPUT -s XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 21 -j ACCEPT
# ALLOW SSH FILTERED
sudo iptables -A INPUT -s XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -s XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 22 -j ACCEPT
# ALLOW MYSQL FILTERED
sudo iptables -A INPUT -s XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 3306 -j ACCEPT
sudo iptables -A INPUT -s XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# ALLOW TOMCAT LOCALHOST
sudo iptables -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 8009 -j ACCEPT
sudo iptables -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 8080 -j ACCEPT
# ALLOW PING ICMP FILTERED
sudo iptables -A INPUT -s XXX.XXX.XXX.XXX -p icmp --icmp-type echo-request -j ACCEPT
# ALLOW HTTP AND HTTPS FROM ALL
sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# REJECT THE REST
sudo iptables -A INPUT -p tcp -m tcp --dport 5666 -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p tcp -m tcp --dport 21 -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p tcp -m tcp --dport 3306 -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p tcp -m tcp --dport 8080 -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p tcp -m tcp --dport 8009 -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT
sudo iptables -A INPUT -p tcp -m tcp --dport 111 -j REJECT
echo " [End iptables rules setting]"
# END SCRIPT
Assign execute privileges to the newly created file:
~:$ sudo chmod a+x /usr/local/bin/iptables.shTo enable the rules every time the server starts, run the following command:
~:$ sudo update-rc.d /etc/init.d/firewall.sh defaults
