[snalk4ever]

Firewall Configuration Script

Here is a nice generic script that you can use to create a simple firewall on each of your systems. It is great for single systems with only one network interface. You would have to expand it to support systems with multiple interfaces that perform routing tasks (such as a network firewall system).

The script does allow a user or program to initiate any type of connection out to other systems. This policy may be too lax for your environment, but in most cases, it is okay. The important thing is that the firewall prevents unwanted incoming connections to your system. It would also be very easy to expand this script to allow specific incoming UDP traffic.

First, the script must determine its hostname and read the appropriate configuration files. The host's configuration file specifies the name of the external interface in the $iface variable. The script uses that variable to determine the system's IP address.

#!/bin/bash
confdir=/usr/local/etc/firewall

thishost='hostname | cut -d'.' -f1'

[ -r "$confdir/$thishost.conf" ] || {
# Exit if no configuration file for this host exists
echo "No firewall configuration for host: $thishost"
exit 0
}
source $confdir/global.conf
source $confdir/$thishost.conf

# Determine this system's external IP address
IPADDR='ifconfig $iface | awk '/inet addr/ {print $2}' | cut -d: -f2'

Next, commands are issues that clear all current rules, chains, and counters. The kernel is told to drop all packets by default. Packets claiming that they are from the local system, yet coming in on the network interface, are also dropped:

# Flush all chains, delete user-defined chains, and clear counters
iptables -F ; iptables -X ; iptables -Z

# We want to drop all packets by default
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Do not allow spoofed packets (external packets with our IP)
iptables -A INPUT -i $iface -s $IPADDR -j DROP
# Don't allow external packets coming from the loopback net
iptables -A INPUT -i $iface -d 127.0.0.1/8 -j DROP

Now, these commands tell the kernel to allow some basic packets through the firewall—all traffic on the local loopback interface is allowed and limited ICMP traffic is also allowed. Most importantly, both TCP and UDP connections initiated from the system are allowed through the firewall:

# Now, allow all traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow certain ICMP packets
iptables -A INPUT -i $iface -p icmp -m state \
--state ESTABLISHED, RELATED -j ACCEPT
iptables -A OUTPUT -o $iface -p icmp -m state \
--state NEW, ESTABLISHED, RELATED -j ACCEPT

# Allow any connections initiated from this system
iptables -A OUTPUT -o $iface -p tcp -m state \
--state NEW, ESTABLISHED -j ACCEPT
iptables -A INPUT -i $iface -p tcp -m state \
--state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $iface -p udp -m state \
--state NEW, ESTABLISHED -j ACCEPT
iptables -A INPUT -i $iface -p udp -m state \
--state ESTABLISHED -j ACCEPT

The commands inside this nested loop allow incoming connections to be initiated from each trusted host to each specified port:

# Now, allow traffic from trusted hosts
for trusted in $trusted_hosts ; do
for service in $trusted_tcp ; do
echo "Allowing $service TCP traffic from $trusted"
iptables -A INPUT -i $iface -p tcp -s $trusted -d $IPADDR \
--dport $service -m state --state NEW, ESTABLISHED -j ACCEPT
done
done

Finally, we instruct the kernel to allow incoming traffic from all hosts to connect to specified ports:

# Allow traffic to select ports from anywhere
for service in $in_tcp ; do
echo "Allowing all incoming $service TCP traffic"
iptables -A INPUT -i $iface -p tcp -d $IPADDR --dport $service \
-m state --state NEW, ESTABLISHED -j ACCEPT
done