How to install firewall script in Ubuntu?

2

1

https://help.ubuntu.com/community/Router/Firewall

In the link above there is a firewall script described. How can I install this script in Ubuntu 10.0.4 desktop?

Pablo

Posted 2010-09-04T03:01:27.577

Reputation: 4 093

Answers

0

The “advanced” firewall script is a shell script that is supposed to be executed after both the internal and the external interface are up.

First, put the script somewhere, say /etc/init.d/local/my_firewall_script, make it executable, and add #!/bin/sh as the first line in the script file.

Next, you need to arrange for the script to run after both interfaces are up. You have two options:

  • through upstart. This has my preference because the script must run when both interfaces are up. Create a file /etc/init/my_firewall.conf containing something like this:

    description "My firewall script"
start on (net-device-up IFACE=br0 and net-device-up IFACE=eth0)
console output

pre-start exec /etc/init.d/local/my_firewall_script

    This is completely untested, and I have zero upstart experience, so you may need to adapt the file. Also there's a bug related to the net-device-up event that might affect you.

  • through ifup scripts. This is a bit fiddly here because the script must be run when the second interface comes up. Create a file /etc/network/if-up.d/my_firewall containing something like this (unstested):

    #!/bin/sh
if [ "$IFACE" = "br0" ] || [ "$IFACE" = "eth0" ]; then
  if [ -n "$(ip addr show br0 | grep '^ *inet ')" ] 2>/dev/null &&
     [ -n "$(ip addr show eth0 | grep '^ *inet ')" ] 2>/dev/null; then
    /etc/init.d/local/my_firewall_script
  fi
fi

    If there was a single interface, or if there was a guarantee that one of the interfaces always came up after the other, this method would be simpler and preferred: the script would be (assuming the single or last-up interface is eth0):

    #!/bin/sh
if [ "$IFACE" = "et0" ]; then
  /etc/init.d/local/my_firewall_script
fi

Note that the script given there is fairly specific to a particular setup — it's an example of a relatively advanced script. You'll have to adapt it to your setup, at least the IP address ranges and probably the name of the interfaces.

After you've found a method that works, I suggest you write a description of how you did it to the wiki page.

Gilles 'SO- stop being evil'

Posted 2010-09-04T03:01:27.577

Reputation: 58 319

I tried the second way, no good. If I run firewall script from shell then I see the rule is added. However right after boot the rule is not there. Is there any way to log something to /var/log/messages from the script, so I can have some clue why it doesn't work. – Pablo – 2010-09-05T01:39:20.923

@Michael: add set -x; exec >/var/tmp/ 2>&1 to the top of the ifup script. What happens if you do ifdown eth0; ifup eth0? – Gilles 'SO- stop being evil' – 2010-09-05T09:33:57.187

1

Here is some comprehensive documentation which provides several options you can choose from:

https://help.ubuntu.com/community/IptablesHowTo#Configuration on startup

weston

Posted 2010-09-04T03:01:27.577

Reputation: 111

0

You can save the script as /etc/iptables.up.rules for example and add:

post-up iptables-restore < /etc/iptables.up.rules

to /etc/network/interfaces file under the definition of your interface.

laurent

Posted 2010-09-04T03:01:27.577

Reputation: 4 166

Asked: 2010-09-04T03:01:27.577

Viewed: 4 086 times

Active: 2011-07-08T10:32:02.063