At previous post We saw the configuration of IPTables so that it works as a Firewall. Now we can see how to create those scripts so that the rules are executed automatically when the system starts, and also how we can eliminate or stop those rules for a moment.
Before doing the script and showing you how it looks, let's talk a little about NAT and the concept of what we want to do with this equipment.
NAT and Context of the example.
When we talk about NAT, we can confuse this with routing, since both are in charge of connecting two different networks to each other. The difference really is that the routing is applied to go from one local network to another and this other network can connect to a router and go out to the Internet.
Whereas, when we talk about NAT, we talk about routing packets from a local or private network to a public network or the Internet. It does this by masking the packets by putting the public IP with which it goes to the Internet. In other words, we don't need a router, because the public IP is directly owned by the GNU / Linux computer.
We will work this with the slogan that we are using our Linux as a router / firewall to go out to the Internet from a local network. But here two scenarios can appear.
- That our Linux is between the router of the service provider and the local network.
In this case, between the router and our Linux there would be a network, and between the Linux and the local network there would be another different network. This means that our router would not have to do NAT as such, with a simple traffic routing as explained in previous post It would be good.
- That our Linux has an interface connected to the local network and through the other interface it receives directly a public IP with which it navigates.
This means that our Linux must do NAT so that the packets can reach the Internet.
For the purposes of this small laboratory then, we will say that our Linux receives a public IP directly and thus be able to test the effects of NAT.
To do NAT we then use the syntax
iptables -t nat -A POSTROUTING -O eth1 -j MASQUERADE
Where eth1 is the interface where we receive the public IP, that is, where we go to the Internet.
Creating iptables script
Suppose then that: 172.26.0.0 is our local network and 81.2.3.4 is the public IP with which we go to the Internet. (it is a static ip). I have the interfaces eth0 (Local network)
eth1 (Public network).
It basically consists of creating a script that can be called from /etc/init.d/firestop (for example). and from this script we can start, stop or check the status of our configuration, just as we do with any system daemon.
Suppose my IPTABLES rules ARE:
#! / bin / bash # Firewall of my home. # File name / etc / firewall_on # By Jlcmux Twitter: @Jlcmux # # Basic policy. iptables -P INPOUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # #NAT to share Internet from eth0 to eth1 iptables -t nat -A POSTROUTING -O eth1 -j SNAT --to-source 81.2.3.4 # # Allow incoming connections initiated by my iptables -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT # # Authorized outgoing traffic iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 53 -j ACCEPT
Explanation:
The script basically does the following:
- First restrict all navigation, connections and traffic. (Basic Firewall Policies)
- Then create the NAT with the destination eth1. indicating that we have a static public ip «81.2.3.4»
- It opens the ports necessary to receive the packets of connections initiated by me.
- Accepts outgoing HTTP, HTTPS, and DNS traffic.
If we wanted to use our equipment to navigate we should repeat the lines and change FORWARD to INPUT or OUTPUT as appropriate.
Cancel script.
Now we are going to create a script that overrides all the above and leaves the computer clean of all this. (For testing purposes or we just want to turn off the firewall).
#! / bin / bash # Firewall of my home. # File name / etc / firewall_off # By Jlcmux Twitter: @Jlcmux # #Deleting iptables Rules -F # #Applying default policies (all traffic accepted) iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT
Automating.
Now we must create the script inside /etc/init.d/ and the service starts automatically and we can manage it in a more comfortable way.
#! / bin / bash # Firewall of my home. # File name /etc/init.d/ firewall # By Jlcmux Twitter: @Jlcmux case $ 1 in start) / etc / firewall_on ;; stop) / etc / firewall_off ;; status) iptables -L ;; *) echo "Wrong syntax. Valid = /etc/init.d/ firewall start | stop | status ;; esac
Explanation:
This last script we put in /etc/init.d/ with the name firewall. So if we want to manage the firewall we can use the command /etc/init.d/ firewall start. In the same way we can stop it or see the state.
Now we are going to edit the file /etc/rc.local and we put something like: /etc/init.d/ firewall start so that it starts with the system.
As well. This is the second part. I hope it brings something to all of you. In the next we see Proxy and IDS.
If you are using Debian, there is a package in the repo (iptables-persistent) that does exactly that, it dumps the current rules in /etc/iptables/rules.v4 or v6 depending on what you use and then applies them to you when you lift the system.
In practice, to clean the configuration of a conventional iptables firewall (and using NAT would not be so from my point of view), in most cases a rule flush and resetting the default policies to ACCEPT would suffice.
But in theory, and as far as I know, in addition to this you also need to clear the non-default strings and reset the counters. Actions to be taken bearing in mind that in addition to "filter" there are other tables, (it is mandatory to read the file "/ proc / net / ip_tables_names" for this).
By the way, orthodoxy says that a firewall must already be up before the network is. I do not know how it is achieved in the other Linux systems, but in the Debian type the script could be adapted and set in the directory "/etc/network/if-pre-up.d/".
Good firewalling everyone. 😉
Hello, the post is very good. I have read the entire 2 volumes.
Waiting for the next 🙂
A question from my ignorance, we continue with iptables, but for several kernel versions we have nftables, I am already testing, the questions are, is nftables something beta compared to iptables? Will iptables continue to be used for much longer?
Thank you.
nftables includes all the functionalities of iptables, ip6tables, arptables and ebtables, all using a new infrastructure in both kernelspace and userspace, which ensures better performance and improved functionality. nftables will replace iptables and all the other tools mentioned but not for the time being, not at least until there is more widespread use of nftables as such.
very good post, I wanted to read more since it is very well explained .. greetings thanks great contribution
Hello! Very good both post.
As a contribution you could add to the end in this part:
"Now we are going to edit the /etc/rc.local file and put something like: /etc/init.d/firestop start so that it starts with the system."
Add this to rc.local.
if [-x /etc/init.d/ firewall]; then
/etc/init.d/ firewall start
fi
Which means that if "firewall" has execution permissions, execute it, if not.
If you want the "firewall" not to start, you just have to remove the permissions.
For example: chmod + x /etc/init.d/ firewall
to make it run on every startup or ...
chmod -x /etc/init.d/ firewall
to completely disable it.
Regards!