I am considered by some to be paranoid when it comes to security, which is why the use of a firewall is essential for me. On my laptop I have sensitive information, of high importance to me; and because the firewall is for the PC like a lock or safe for us, also remembering that on the computer we store email access passwords, bank account data (whoever has them), server information, and other virtual information that directly influences our physical life ... well, without a doubt walk through the network without a firewall configured, without proper security on our computer is not something that is recommended.
Some time ago I showed you how to start iptables rules automatically on distros like Debian, Ubuntu or others that contain the /etc/rc.local file, however in ArchLinux as systemd uses this file does not exist.
So, the way I found for my iptables to be configured as I wish is to create a bash script that configures iptables, and then modify the /usr/lib/systemd/system/iptables.service file ... but, let's go in parts 🙂
1. Must create a bash script containing our iptables rules, something like this: Bash + iptables script example
2. After creating the script, writing our rules in it and giving it execution permissions, we proceed to edit the systemd iptables service:
sudo nano /usr/lib/systemd/system/iptables.service
We will come across something like this:
[Unit] Description = Packet Filtering Framework [Service] Type = oneshot ExecStart = / usr / bin / iptables-restore /etc/iptables/iptables.rules ExecReload = / usr / bin / iptables-restore /etc/iptables/iptables.rules ExecStop = / usr / lib / systemd / scripts / iptables-flush RemainAfterExit = yes [Install] WantedBy = multi-user.target
3. Assuming that the script that we previously created is located in /home/myuser/script-iptables.sh then we will leave the iptables.service file that we have open as follows:
[Unit] Description = Packet Filtering Framework [Service] Type = oneshot ExecStart = / home / myuser / script-iptables.sh ExecReload = / home / myuser / script-iptables.sh ExecStop = / usr / lib / systemd / scripts / iptables -flush RemainAfterExit = yes [Install] WantedBy = multi-user.target
4. Then we need to make sure that iptables starts automatically:
sudo systemctl enable iptables
5. We start it:
sudo systemctl start iptables
6. And we can check the rules:
sudo iptables -nL
This is just the simplest way I found to (1) have my own bash script that configures iptables for me, also (2) that the rules start automatically and finally (3) that the script itself was something independent, that is , that if tomorrow I want to use it in a Debian that I install (for example) I won't have to reconfigure a lot.
Anyway, I hope you find it useful 🙂
regards
Interesting….
It would not have been easier to edit the iptables.rules file, if you already have root access with sudo it would be worth modifying it, right?
I do it in a slightly different way, although also taking advantage of the script that you have uploaded to launch the rules.
1- We launch the service (if we have not done it yet):
# systemctl enable iptables.service# systemctl start iptables.service
2- We see what rules we have active (we assume that everything is open if we have not touched anything)
sudo iptables -nvL3- We change to the rules we want, launching the configuration script:
# sh /home/miusuario/script-iptables.sh4- Let's see how the active rules have changed:
# iptables -nvL5- We save the new iptables configuration for future reboots:
# iptables-save > /etc/iptables/iptables.rules5b- If we manually edit the /etc/iptables/iptables.rules file to change the rules, we must reload the configuration:
# systemctl reload iptablesAt least for me it is easier that way. I'm trying to learn some bash and kdialog to manage the settings in a more graphical way. Later I will try to do something more complete with qtcreator for example, to be able to have several configuration scripts depending on the equipment that we are configuring (router, PC, etc ...) to see if it comes out.
The interface I have in mind is something like this.
Arch
http://i1178.photobucket.com/albums/x380/beatfenix/kortafuegos_arch_zpscec2122d.jpeg
Debian
http://i1178.photobucket.com/albums/x380/beatfenix/kortafuegos_deb_zps75ada7c4.jpeg
This captcha for comments is a bug strainer, please change to another or update this one because it gets annoying after multiple attempts.
It is the same used by humanOS, Firefoxmanía .. maybe it is something with the cache.
Well, I don't even comment on those two anymore.
Regards,
This is an extremely useful topic.
Undoubtedly for those interested in the security of the information stored on our PC; "Iptables" is one of the tools that must be learned to use; although, by its own importance it is a bit complicated to learn.
I found this video on the subject of which I hope you will allow me to share your email address "http://www.youtube.com/watch?v=Z6a-K_8FT_Y"; my surprise was, that it is something different from what it is about here. But anyway, I suppose it will be due to the diversity of distributions that GNU / Linux has (ARCH, DEBIAN, SUSE, etc), we will have to learn anyway.