Easy Linux Firewalling using IPTables

This entry was posted by Sunday, 21 March, 2010
Read the rest of this entry »

A lot of our customers have asked for firewalls, and since this is a common theme, i decided that I would help them out. Of course it can be a mission to learn how to make your own and what to do or not do, and some of the pre-made ones can be confusing.

So i decided to simplify it a little for you all by writing a firewall script. I originally took a script made by somebody else, then totally modified it to suit myself, then modified it again to suit any machine. You *should* be able to literally drop this in place on any server and have it *just work*.

All you need to do is edit the top couple of lines to set what ports you want open or closed. edit the other options (ie ssh port etc). Full instructions as follows

wget http://b.ri.mu/files/firewall
nano firewall # ctrl+x to exit when finished editing
chmod +x firewall
./firewall

If you are still able to connect to your VPS in all the usual ways then you can add that into your init scripts. To check what ports you have open and want the outside world to connect to you can use

netstat -pant |grep LISTEN

If you are unable to login then you may need to log into the console of your VPS at https://rimuhosting.com/cp/vps/console.jsp

Adding it into the init scripts

cp firewall /etc/init.d/firewall

Debian Based (debian.ubuntu etc)

update-rc.d firewall defaults

Centos/RPM based

chkconfig --add firewall

11 Responses to “Easy Linux Firewalling using IPTables”

  1. hrmm

    hrmm, i keep getting

    [code]
    bad interpreter: No such file or directory
    [/code]

    🙁

  2. What OS?
    If you add in the top ‘set -x’ then run it it should tell you exactly what it was doing when it died (feel free to email me the output for diagnosis liz @ velofille dot come)

  3. hrmm

    heh, thanks, but I managed to figure it out. I use IRC (Internet Relay Chat) – there are many guru people available all hours, in all timezones.

    so, it turns out it was a linefeed problem, something to do with my editors. (running debian 2.6.26)

    This was fixed by typing: perl -p -i -e ‘s/r$//g’ firewall.sh
    firewall.sh is the file i have named inside /etc/init.d – with update-rc.d firewall.sh defaults

    🙂

  4. Liz

    Yep I’m an old school IRC user also. – phew thank god it wasnt some major code error 😀

  5. hrmm

    actually, I’m rather new to linux, being a fbsd’er for a number of years, but I never really understood iptables. This script is exactly what I needed, I thank you 😉

  6. John

    Hello, I was just wondering, how would this script be utilized on a server with multiple interfaces? I tried, it locked up the system. It seems I can do “eth0”, but if I have an interface as eth0:1 – it still locks.

  7. It should work regardless of interface from memory, though I can’t be sure offhand. Will reply/update when I’m near a PC in a day or two

  8. John

    no prob, thanks liz. I have IPs aliased to eth0, due to networking. If they were eth1 or eth2, it works fine. When it’s eth0:1 it locks up. Because they’re aliased to eth0, could I just firewall that interface and it would filter traffic on all interfaces aliased to it?

  9. Heya, at the top it shows the interface. It sets up the default rules to drop everything, then sets up allow rules for each other thing. If you munged something somewhere, the script does not get to run the second lot of rules allowing things, then it may do as you are describing.
    Did you edit it in any way at all? maybe forget a quote or similar? does it give any errors? Would love to figure out and debug what the problem is.
    I may edit it and make it not interface specific.

  10. John

    The script is default, the only change has been interface and/or ports. Everything else should run as normal. It doesn’t give errors, it prints the last line, but ends up locking the whole server, not just the interface. I was fortunate enough to have IPMI access.

  11. are you able to email me the results of iptables -L -n ? or was this on a server that you did not have console one?
    You probably shouldn’t change the interface, the outgoing packets will default to eth0 and there will be no rules allowing traffic in/out no doubt. I may change the script to allow multiple interfaces i think.


Leave a Reply