How can set these iptables rules to run at startup
I usually run my iptables rules whenever I login. From the terminal I type ;
sudo sh firewall.sh
Setting up my sister's computer, I want to give her some basic firewall protection. She wont be logging in as admin, just a standard account. How can I make a firewall script run everytime she logs in without her having to type in any password?
The script I wrote for my sister's computer contains ;
#!/bin/sh
modprobe ip_conntrack
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -I OUTPUT -p tcp --dport 80 --sport 32768:61000 -j ACCEPT
iptables -I OUTPUT -p udp --dport 53 --sport 32768:61000 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 443 --sport 32768:61000 -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -I OUTPUT -p icmp -j DROP
iptables -I INPUT -p icmp -j DROP
iptables -I INPUT -p udp -j DROP
iptables -I INPUT -p tcp -m tcp --syn -j DROP
iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
I've placed it in her home folder as firewall.sh and set it to be executable (right click on the file, and checking the "allow executing file as program" option in the permissions tab).
Running this script from the terminal as root works fine.
After typing ;
sudo sh firewall.sh
I typed into the terminal
sudo iptables -L -v
and I get
Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 DROP tcp -- any any anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN
0 0 DROP udp -- any any anywhere anywhere
0 0 DROP icmp -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
0 0 DROP icmp -- any any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:32768:61000 dpt:https
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:32768:61000 dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:32768:61000 dpt:http
0 0 ACCEPT all -- any lo anywhere anywhere
How can I have this this script run automatically at login, or possibly save these rules permanently for my sisters computer? Could you please provide some detailed code, as my first attempts at rc.local method and iptables-save have not been very successful. On every reboot, all INPUT, OUTPUT and FORWARD chains are reset to ACCEPT, with no policies listed when I type sudo iptables -L -v
Solution 1:
You may want to use the iptables-persistent package rather than mess with your boot scripts. First, run your script to set up the firewall rules. Secondly, run sudo apt-get install iptables-persistent, and follow the prompts. When it asks to save the current rules, hit "Yes" at both prompts. Now, on reboots, your iptables rules will be restored.
NOTE: If you change your rules after this, you will need to do the following command(s) after the changes:
To save your IPv4 iptables rules: sudo su -c 'iptables-save > /etc/iptables/rules.v4'
To save your IPv6 ip6tables rules: sudo su -c 'ip6tables-save > /etc/iptables/rules.v6'
Solution 2:
Assuming you have the firewall rules in:
/etc/iptables.up.rules
Perhaps the most obvious answer will be to create a file called iptables in:
/etc/network/if-pre-up.d
with the content:
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules
and make it executable using
sudo chmod +x /etc/network/if-pre-up.d/iptables
This way before your network interface is activated your rules will be loaded.