Linux firewall

User avatar
scole of TSBT
Boinc Major General
Boinc Major General
Posts: 5980
Joined: Mon Feb 03, 2014 2:38 pm
Location: Goldsboro, (Eastern) North Carolina, USA

#1 Linux firewall

Post by scole of TSBT »

I run a server version of linux on my systems so there's no GUI to configure a firewall. I'm trying out iptables to block a range of ip addresses for the rosetta challenge. Here's the command I used to add an entry which will block traffic to the range 128.95.160.0-128.95.160.255...

iptables -A INPUT -s 128.95.160.0/24 -j DROP

Is there any better way to setup a firewall on a linux server?
Image
User avatar
Dirk Broer
Corsair
Corsair
Posts: 1962
Joined: Thu Feb 20, 2014 11:24 pm
Location: Leiden, South Holland, Netherlands
Contact:

#2 Re: Linux firewall

Post by Dirk Broer »

Image
User avatar
scole of TSBT
Boinc Major General
Boinc Major General
Posts: 5980
Joined: Mon Feb 03, 2014 2:38 pm
Location: Goldsboro, (Eastern) North Carolina, USA

#3 Re: Linux firewall

Post by scole of TSBT »

So here's the final setup I decided to use.

1. Save the current set of iptables rules to a file like so...
sudo iptables-save > /home/<username>/iptables.rules

It will create a file with contents that look like this...
# Generated by iptables-save v1.4.21 on Tue Dec 22 09:20:40 2015
*filter
:INPUT ACCEPT [158:22069]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [76:122960]
COMMIT
# Completed on Tue Dec 22 09:20:40 2015

2. Create a simple script to edit the rules and reload the rules. I created a script file named set-fw (short for set-firewall), which will load the iptables.rules file in the nano editor. When you exit the editor, it will reload the iptables.rules and echo the current rules. Here is the script...
nano /home/<username>/iptables.rules
iptables-restore < /home/<username>/iptables.rules
iptables -L

3. Run the script...
sudo ./set-fw

and add the first rule which is a line that looks like this...
-A OUTPUT -d 128.95.160.0/24 -j DROP

The file should now look like this...
# Generated by iptables-save v1.4.21 on Tue Dec 22 09:20:40 2015
*filter
:INPUT ACCEPT [158:22069]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [76:122960]
-A OUTPUT -d 128.95.160.0/24 -j DROP
COMMIT
# Completed on Tue Dec 22 09:20:40 2015

4. Exit the editor, saving the file in the process. You should see the current rules displayed, like this...
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 128.95.160.0/24 anywhere

5. In order to make these setting persistent, in case the system reboots, modify the network configuration to load the iptables.rules any time the interface is started, such as a reboot. Add this line to file /etc/network/interfaces...
pre-up iptables-restore < /home/<username>/iptables.rules

The interfaces file should look something like this...
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
pre-up iptables-restore < /home/<username>/iptables.rules


All I have to do is either add a line for a new project, or comment out a line if I no longer want it blocked. To comment the line, just put a # at the beginning of the line.

Again, if there's any better way, let me know.

NOTE: Pay attention to which chain you use. INPUT requires the -s (source) option and OUTPUT requires the -d (destination) option. Miss that part and you might accidentally upload WUs :x
Image
Post Reply Previous topicNext topic

Return to “Linux”