I assume that you’ve already familiar with runlevels process. If you still don’t know about runlevels, you can go my tutorial about ‘Runlevels in Ubuntu‘ first.
If you are ready then let’s start a practice with creating our iptables script.
There 4 steps for you to follow.
-
Create your executable-scripts
-
Put the scripts into /etc/init.d directory.
-
Set up links for your scripts in each rc?.d directories that point to /etc/init.d/your_scripts.
-
Reboot the system.
Step 1. Create directory for the script (optional) and create the script.
taufanlubis@zyrex:~$ sudo mkdir /opt/my_firewall
taufanlubis@zyrex:~$ cd /opt/my_firewall/
taufanlubis@zyrex:/opt/my_firewall$
I like to put my firewall scripts collection in one directory. So, next time you need it for your working requirements then it will be easier for you to find.
Let’s make the script. You can use any text editor you want.
taufanlubis@zyrex:/opt/my_firewall$ sudo gedit myfirewall_scripts
Put your script in ‘gedit’ words editor, don’t forget to put ‘#!/bin/bash’ on the top of the scripts.
For example, my script is:
#!/bin/bash
#Remove all previous chain rules
iptables -F
#Accept packet data (tcp) through ethernet card no.1
#via port 80 (http), port 443 (https), port 110(pop3), port 25(smtp)
iptables -A INPUT -p tcp -i eth0 –dport http -j ACCEPT
iptables -A INPUT -p tcp -i eth0 –dport https -j ACCEPT
iptables -A INPUT -p tcp -i eth0 –dport pop3 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 –dport smtp -j ACCEPT
#Drop all data that forwarded or output from your machine
#except the ports that we’ve set to be allowed.
iptables -A FORWARD -o eth0 -j DROP
iptables -A OUTPUT -o eth0 -j DROP
iptables -A INPUT -p tcp -i eth0 -j DROP
Then, save the file.
Check the content
taufanlubis@zyrex:/opt/my_firewall$ cat myfirewall_scripts
#!/bin/bash
#Remove all previous chain rules
iptables -F
#Accept packet data (tcp) through ethernet card no.1
#via port 80 (http), port 443 (https), port 110(pop3), port 25(smtp)
iptables -A INPUT -p tcp -i eth0 –dport http -j ACCEPT
iptables -A INPUT -p tcp -i eth0 –dport https -j ACCEPT
iptables -A INPUT -p tcp -i eth0 –dport pop3 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 –dport smtp -j ACCEPT
#Drop all data that forwarded or output from your machine
#except the ports that we’ve set to be allowed.
iptables -A FORWARD -o eth0 -j DROP
iptables -A OUTPUT -o eth0 -j DROP
iptables -A INPUT -p tcp -i eth0 -j DROP
taufanlubis@zyrex:/opt/my_firewall$
Check the security level access
taufanlubis@zyrex:/opt/my_firewall$ ls -l
total 4
-rw-r–r– 1 root root 582 2007-09-29 10:55 myfirewall_scripts
taufanlubis@zyrex:/opt/my_firewall$
Change the security level access
taufanlubis@zyrex:/opt/my_firewall$ sudo chmod uog+x myfirewall_scripts
taufanlubis@zyrex:/opt/my_firewall$ ls -l
total 4
-rwxr-xr-x 1 root root 582 2007-09-29 10:55 myfirewall_scripts
taufanlubis@zyrex:/opt/my_firewall$
Now, your script is ready to run.
Test the script
taufanlubis@zyrex:/opt/my_firewall$ sudo ./myfirewall_scripts
taufanlubis@zyrex:/opt/my_firewall$
taufanlubis@zyrex:/opt/my_firewall$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp — anywhere anywhere tcp dpt:www
ACCEPT tcp — anywhere anywhere tcp dpt:https
ACCEPT tcp — anywhere anywhere tcp dpt:pop3
ACCEPT tcp — anywhere anywhere tcp dpt:smtp
DROP tcp — anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP 0 — anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP 0 — anywhere anywhere
taufanlubis@zyrex:/opt/my_firewall$
Now, everything is running smoothly. You can put the script into the particular runlevels.
Step 2. Copy your script to /etc/init.d/ directory.
taufanlubis@zyrex:/opt/my_firewall$ sudo cp myfirewall_scripts /etc/init.d/
Check the availability
taufanlubis@zyrex:/etc/init.d$ ls myfirewall_scripts
myfirewall_scripts
Step 3. Setup Links
To setup links for your script in each rc?.d you don’t have to it manually one by one. You can use Ubuntu command update-rc.d.
Manual for update-rc.d in Ubuntu
update-rc.d updates the System V style init script links /etc/rcrun‐level.d/NNname whose target is the script /etc/init.d/name. These links are run by init when it changes runlevels; they are generally used to start and stop system services such as daemons. runlevel is one of the runlevels supported by init, namely, 0123456789S, and NN is the two-digit sequence number that determines where in the sequence init will run the scripts. the two-digit sequence number that determines where in the sequence
init will run the scripts.
EXAMPLES
Insert links using the defaults:
update-rc.d foobar defaults
Equivalent command using explicit argument sets:
update-rc.d foobar start 20 2 3 4 5 . stop 20 0 1 6 .
Insert links for a service that should be running during multi-user
mode, but that does not need to be explicitly stopped on shutdown:
update-rc.d foobar multiuser
Equivalent command using explicit argument sets:
update-rc.d foobar start 20 2 3 4 5 . stop 20 1 .
More typical command using explicit argument sets:
update-rc.d foobar start 30 2 3 4 5 . stop 70 0 1 6 .
Remove all links for a script (assuming foobar has been deleted
already):
update-rc.d foobar remove
Example of disabling a service:
update-rc.d -f foobar remove
update-rc.d foobar stop 20 2 3 4 5 .
Example of a command for installing a system initialization-and-shut‐
down script:
update-rc.d foobar start 45 S . start 31 0 6 .
Example of a command for disabling a system initialization-and-shutdown
script:
script:
update-rc.d -f foobar remove
update-rc.d foobar stop 45 S .
Setup links for myfirewall_scripts
taufanlubis@zyrex:~$ sudo update-rc.d myfirewall_scripts defaults
Adding system startup for /etc/init.d/myfirewall_scripts …
/etc/rc0.d/K20myfirewall_scripts -> ../init.d/myfirewall_scripts
/etc/rc1.d/K20myfirewall_scripts -> ../init.d/myfirewall_scripts
/etc/rc6.d/K20myfirewall_scripts -> ../init.d/myfirewall_scripts
/etc/rc2.d/S20myfirewall_scripts -> ../init.d/myfirewall_scripts
/etc/rc3.d/S20myfirewall_scripts -> ../init.d/myfirewall_scripts
/etc/rc4.d/S20myfirewall_scripts -> ../init.d/myfirewall_scripts
/etc/rc5.d/S20myfirewall_scripts -> ../init.d/myfirewall_scripts
taufanlubis@zyrex:~$
K20 in rc0.d, rc1.d and rc6.d = myfirewall_scripts will be executed when leaving runlevel N.
S20 in rc2.d, rc3.d, rc4.d and rc5.d = myfirewall_scripts will be executed when enter runlevel N.
Step 4. Reboot the system
Check the iptables status. If everything is running well then you will see your iptables chain rules.
taufanlubis@zyrex:~$ sudo iptables -L
Password:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp — anywhere anywhere tcp dpt:www
ACCEPT tcp — anywhere anywhere tcp dpt:https
ACCEPT tcp — anywhere anywhere tcp dpt:pop3
ACCEPT tcp — anywhere anywhere tcp dpt:smtp
DROP tcp — anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP 0 — anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP 0 — anywhere anywhere
taufanlubis@zyrex:~$
Removing a service
taufanlubis@zyrex:~$ sudo update-rc.d myfirewall_scripts remove
update-rc.d: /etc/init.d/myfirewall_scripts exists during rc.d purge (use -f to force)
taufanlubis@zyrex:~$
If the script has already run you have to use ‘-f (force)’ to remove the script.
taufanlubis@zyrex:~$ sudo update-rc.d -f myfirewall_scripts remove
Removing any system startup links for /etc/init.d/myfirewall_scripts …
/etc/rc0.d/K20myfirewall_scripts
/etc/rc1.d/K20myfirewall_scripts
/etc/rc2.d/S20myfirewall_scripts
/etc/rc3.d/S20myfirewall_scripts
/etc/rc4.d/S20myfirewall_scripts
/etc/rc5.d/S20myfirewall_scripts
/etc/rc6.d/K20myfirewall_scripts
taufanlubis@zyrex:~$
Is my myfirewall_scripts also removed?
No, your myfirewall_scripts is still in /etc/init.d/ directory.
update-rc.d only remove the links in each rc?.d directory.
You can check it.
taufanlubis@zyrex:~$ ls /etc/init.d/myfirewall_scripts
/etc/init.d/myfirewall_scripts
taufanlubis@zyrex:~$
Note:
One might, for example, cause the script myfirewall_scripts to execute at boot-up.
Happy trying……..