Re: HOWTO: Use iptables as firewall with a daemon on system startup
I know this thread has been dead for a long time, however as a regular user I am unable to run:
/sbin/iptables-save
But as root I am. As root I changed the privileges to 777, and still as a regular user I am unable to run this command. Is this by design??
Re: HOWTO: Use iptables as firewall with a daemon on system startup
The iptables system is an interface to the kernels built in firewall. Normally, normal users do not access the kernel. Therefore, you should not be able to do anything with iptables as normal user, but instead have to use sudo.
As it is, this thread describes how to get iptables working at boot time, which therefore should require minimal user interaction, and then using sudo, to set up. After that you just forget about it cause it just works.
CelloFellow
Re: HOWTO: Use iptables as firewall with a daemon on system startup
This worked perfectly. Thank you!
Re: HOWTO: Use iptables as firewall with a daemon on system startup
Hi,
i am quite new to iptables and such,
but i have some recurring errors with this script.
after each option i get 4 errors like:
Allow ping (y/n)? [y] n
[: 32: ==: unexpected operator
[: 32: ==: unexpected operator
[: 32: ==: unexpected operator
[: 32: ==: unexpected operator
where 32 is always the line after "then" where the script sets its variable.
also, after the "yes" on applying changes, it gives again 4 times:
[: 100: ==: unexpected operator
what dumb thing am i doing?
grtz,
brabo.
Re: HOWTO: Use iptables as firewall with a daemon on system startup
Sorry for posting on an old thread, but I found this using Google. I've never really messed with iptables, but it seemed relatively straightforward until I read that manually editing iptables could be devastating to NetworkManager (I'm using Kubuntu, so I guess KNetworkManager ;) ). For a reference, read
https://help.ubuntu.com/community/Ip...5747fb6c581aee
Can anyone confirm this? Does anyone know if it still causes problems in 8.04 (Hardy)?
EDIT: My network/interfaces is empty except for the loopback. I have eth0 (wired) and eth1 (wireless) as well, but entries for these interfaces are not present in network/interfaces. Does this mean that it's completely up to NetworkManager to take care of them?
Re: HOWTO: Use iptables as firewall with a daemon on system startup
Quote:
Originally Posted by
Sam
This howto is intended to set up a firewall without installing firestarter (useful if you don't use any wm, eg: servers). It uses iptables which is available with a fresh Ubuntu install, and a init.d script to run it as a daemon on boot.
Please correct me if I'm wrong about iptables configuration, and feel free to improve the script or tell me new ports to include in the script. Thanks !
Create the default rules script
- Create a new script:
Code:
$ sudo gedit /usr/local/bin/iptables-rules
- Paste the following lines:
Code:
#! /bin/sh
#
# Initialize the rules with iptables.
#
ROOT_UID="0"
#Ctrl-C trapping
trap ctrlc INT
ctrlc()
{
echo -e "\nAborted by user."
rm -rf $TMP_DIR
exit 2
}
#Check if run as root
if [ "$UID" -ne "$ROOT_UID" ] ; then
echo "You must be root to do that!"
exit 1
fi
echo "Which ports do you want to open ?"
allow_icmp="0"
echo -n "Allow ping (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
allow_icmp="1"
fi
allow_ftp="0"
echo -n "Allow ftp (file transfert) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
allow_ftp="1"
fi
allow_ssh="0"
echo -n "Allow ssh (secure shell) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
allow_ssh="1"
fi
allow_smtp="0"
echo -n "Allow smtp (mail sending) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
allow_smtp="1"
fi
allow_http="0"
echo -n "Allow http (web server) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
allow_http="1"
fi
allow_pop3="0"
echo -n "Allow pop3 (pop3 mail server) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
allow_pop3="1"
fi
allow_imap="0"
echo -n "Allow imap (imap mail server) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
allow_imap="1"
fi
allow_https="0"
echo -n "Allow https (secured web server) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
allow_https="1"
fi
allow_mysql="0"
echo -n "Allow mysql (database server) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
allow_mysql="1"
fi
allow_vnc="0"
echo -n "Allow vnc (remote desktop) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
allow_vnc="1"
fi
allow_samba="0"
echo -n "Allow samba (Windows file sharing) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
allow_samba="1"
fi
echo -e "\nDo you really want to apply iptables rules ? This will clear every iptables"
echo "settings. Use Ctrl-C then 'iptables-save' to save your current settings."
echo -n "(y/n)? [n] "
read input
if [ -z "$input" ] || [ "$input" == "n" ] || [ "$input" == "no" ] || [ "$input" == "N" ] || [ "$input" == "NO" ] ; then
exit 1
fi
echo -n "Applying rules..."
#Flushing the current rules
iptables -F
#Allow connections already established
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Accept everything from localhost
iptables -A INPUT -i lo -j ACCEPT
#Ping
if [ $allow_icmp -eq "1" ] ; then
iptables -A INPUT -p icmp -j ACCEPT
fi
#ftp (20,21)
if [ $allow_ftp -eq "1" ] ; then
iptables -A INPUT -p tcp -m multiport --destination-ports ftp-data,ftp -j ACCEPT
fi
#ssh (22)
if [ $allow_ssh -eq "1" ] ; then
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
fi
#smtp (25)
if [ $allow_smtp -eq "1" ] ; then
iptables -A INPUT -p tcp --dport smtp -j ACCEPT
fi
#http (80)
if [ $allow_http -eq "1" ] ; then
iptables -A INPUT -p tcp --dport http -j ACCEPT
fi
#pop3 (110)
if [ $allow_pop3 -eq "1" ] ; then
iptables -A INPUT -p tcp --dport pop3 -j ACCEPT
fi
#imap (143)
if [ $allow_imap -eq "1" ] ; then
iptables -A INPUT -p tcp --dport imap2 -j ACCEPT
fi
#https (443)
if [ $allow_https -eq "1" ] ; then
iptables -A INPUT -p tcp --dport https -j ACCEPT
fi
#mysql (3306)
if [ $allow_mysql -eq "1" ] ; then
iptables -A INPUT -p tcp --dport mysql -j ACCEPT
fi
#vnc (5900)
if [ $allow_vnc -eq "1" ] ; then
iptables -A INPUT -p tcp --dport 5900 -j ACCEPT
fi
#samba (tcp 135,139,445, udp 135,137,138,139,445)
if [ $allow_samba -eq "1" ] ; then
iptables -A INPUT -p tcp -m multiport --destination-ports 135,139,445 -j ACCEPT
iptables -A INPUT -p udp -m multiport --destination-ports 135,137,138,139,445 -j ACCEPT
fi
#Drop everything else
iptables -A INPUT -j DROP
#Outbound: allow everything
iptables -A OUTPUT -j ACCEPT
echo " ok !"
exit 0
- Allow execution:
Code:
$ sudo chmod +x /usr/local/bin/iptables-rules
- Run this script to apply iptables rules:
Code:
$ sudo iptables-rules
Create the firewall daemon
Thank you pinnockio for your
iptables firewall script !
- Create a new script:
Code:
$ sudo gedit /etc/init.d/iptables
- Paste the following lines:
Code:
#! /bin/sh
#This is an Ubuntu adapted iptables script from gentoo
#(http://www.gentoo.org) which was originally distributed
#under the terms of the GNU General Public License v2
#and was Copyrighted 1999-2004 by the Gentoo Foundation
#
#This adapted version was intended for and ad-hoc personal
#situation and as such no warranty is provided.
. /lib/lsb/init-functions
IPTABLES_SAVE="/etc/default/iptables-rules"
SAVE_RESTORE_OPTIONS="-c"
checkrules() {
if [ ! -f ${IPTABLES_SAVE} ]
then
echo "Not starting iptables. First create some rules then run"
echo "\"/etc/init.d/iptables save\""
return 1
fi
}
save() {
/sbin/iptables-save ${SAVE_RESTORE_OPTIONS} > ${IPTABLES_SAVE}
return $?
}
start(){
checkrules || return 1
/sbin/iptables-restore ${SAVE_RESTORE_OPTIONS} < ${IPTABLES_SAVE}
return $?
}
case "$1" in
save)
echo -n "Saving iptables state..."
save
if [ $? -eq 0 ] ; then
echo " ok"
else
echo " error !"
fi
;;
start)
log_begin_msg "Loading iptables state and starting firewall..."
start
log_end_msg $?
;;
stop)
log_begin_msg "Stopping firewall..."
for a in `cat /proc/net/ip_tables_names`; do
/sbin/iptables -F -t $a
/sbin/iptables -X -t $a
if [ $a == nat ]; then
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
elif [ $a == mangle ]; then
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P INPUT ACCEPT
/sbin/iptables -t mangle -P FORWARD ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
elif [ $a == filter ]; then
/sbin/iptables -t filter -P INPUT ACCEPT
/sbin/iptables -t filter -P FORWARD ACCEPT
/sbin/iptables -t filter -P OUTPUT ACCEPT
fi
done
log_end_msg 0
;;
restart)
log_begin_msg "Restarting firewall..."
for a in `cat /proc/net/ip_tables_names`; do
/sbin/iptables -F -t $a
/sbin/iptables -X -t $a
done;
start
log_end_msg $?
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop|restart|save}" >&2
exit 1
;;
esac
exit 0
- Allow execution:
Code:
$ sudo chmod +x /etc/init.d/iptables
- Add daemon to runlevels to run it before network is started (on boot) and kill it after network is stopped (on halt/reboot):
Code:
$ sudo update-rc.d iptables start 37 S . start 37 0 . start 37 6 .
Starting the firewall daemon
- Make sure that you set up iptables as explained above:
Code:
$ sudo iptables-rules
- Save iptables configuration for the daemon:
Code:
$ sudo /etc/init.d/iptables save
- Start the daemon:
Code:
$ sudo /etc/init.d/iptables start
- Done !
i created the default rules script, but when creating the firewall daemon and typed sudo gedit /etc/init.d/iptables , it did nothing, didn't create a new script. And when went through the GUI and tried to create it manually, i coudn't because i didn't have that option there. So, what to do????
Re: HOWTO: Use iptables as firewall with a daemon on system startup
Quote:
Originally Posted by
johnmorkoss
i created the default rules script, but when creating the firewall daemon and typed sudo gedit /etc/init.d/iptables , it did nothing, didn't create a new script. And when went through the GUI and tried to create it manually, i coudn't because i didn't have that option there. So, what to do????
That's weird. Especially since it was working in the first step! What happen if you run in a terminal:
Code:
gksudo gedit /etc/init.d/iptables
Can you create the script?