Easy Ubuntu Server Firewall

 Views: 782Articles, , ,

I like to call the method below “The Easy Ubuntu Server Firewall”. You may ask why I call it easy. The answer is simple, it uses standard IPTable’s and has a start and stop script to quickly disable it in the event that debugging is required. Installing the firewall is a simple two stage process. First adjust the file below called firewall.rules to your liking.  This file will be placed at /etc/firewall.rules.

# Generated by iptables-save v1.3.3 on Wed Apr  9 10:51:08 2008
# Flush out any rules that are already in there
*filter
:INPUT ACCEPT [146:11332]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [104:9831]

# Allow internal loopback connections
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow pinging
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Allow any outbound data, and any inbound data related to a connection that is already in use
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

# =========BEGIN SERVER SPECIFIC PORT OPEN RULES=========
# Allow SCP/SSH Access from Green & Blue Subnet
-A INPUT -s 172.16.12.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.10.12.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT

# Allow HTTP Access from Red Subnet/Internet
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT

# Allow HTTPS Access from Red Subnet/Internet
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT

# Allow MySQL Access from Red Subnet/Internet
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 3306 -j ACCEPT

# Allow FTP Access from Red Subnet/Internet
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 58000:58010 -j ACCEPT
# =========END SERVER SPECIFIC PORT OPEN RULES=========

# Drop everything that hasn't been picked up by one of the rules above
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j DROP

COMMIT
# Completed on Wed Apr  9 10:51:08 2008

Next we will need to build the init script called firewall to start, stop and restart the firewall. This file will be placed at /etc/init.d/firewall. You will need to make this file executable by running the following command: sudo chmod 0755 /etc/init.d/firewall. Once the file is executable, we will need to employ the update-rc.d tool in order to make the firewall script start on boot with the following command: update-rc.d firewall start 20 2 3 4 5 . stop 99 0 1 6 .

#!/bin/bash

case “${1:-”}” in
‘start’)
echo ” * Starting firewall service”
sudo iptables-restore < /etc/firewall.rules ;; 'stop') echo " * Stopping firewall service" sudo iptables -F ;; 'restart') echo " * Restarting firewall service" sudo iptables -F sudo iptables-restore < /etc/firewall.rules ;; *) echo "Usage: $SELF start|stop|restart" exit 1 ;; esac exit $RETVAL [/bash] Lastly, we will want to test our new firewall setup. First we must flush any existing IPtables and then list the rules to ensure all are removed with the following command: sudo iptables -F && sudo iptables -L. Your output should look similar to the picture below.iptables-f
Once you have verified that no rules are enabled, you can start your firewall with the following command: sudo service firewall start. Now run: sudo iptables -L and should see the rules that you have enabled in your firewall.rules file.

ubuntu Ubuntu Firewall Download

Did you find this article useful? Why not share it with your friends?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.