IPtables(Linux) script to set up firewall easily

[jessez 3]

Hi all,
This is a request for comment on the shell script that sets up IP tables (linux) automatically once you add some details as noted in the script.
Don't forget to run the script as root or using sudo.
Let me know if there are any glitches or you have suggestions of any kind.

Warm regards,
jz

 

Add: May 18, 2013:  I think it's been tested enough, but don't hesitate to comment if you wish

 

jz

[jessez 3]

Hi all,

I created a script to set up the Iptables firewall easily, you just have to set some parameters in the script first (ie. adjust for your routers IP address and add the AirVPN server IP's that you want) I tried to do as complete documentation as possible given I've been working on this for the last many hours.

Any questons or sugeetions of any kind are welcome.

Don't forget to change the file extention to .sh and run it as root or using sudo.

Best regards,

jz

iptables-airvpn.txt

[Staff 9972]

Hi jessez,

about DHCP:
 

# Allow access to DHCP server - I don't use DHCP, so uncomment if you do
# iptables -A INPUT -s 255.255.255.255/32 -j ACCEPT
# iptables -A OUTPUT -s 255.255.255.255/32 -j ACCEPT

the second rule should be changed into:

iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT

Kind regards

[jessez 3]

Hi all,

I've attached a revised copy with the DHCP error fixed.

Best regards,

jz

iptables-airvpn_2013-01-19.txt

[Corsair28 8]

I will try it out on one of my linux machines and let you know it works.

[jessez 3]

I had a thought that I should post the flush script, in case anyone can't get the firewall working properly and needs to get internet access to do more research or get help.

Again run as root or use sudo, after taking the .txt extention off the file.

jz

flushIPtables.sh.txt

[jessez 3]

Hi all, I have screwed up and have two seperate post going on this topic, my apologies. I think everything should go in this one from here.

Well as it turns out the method I used to make a list of usable AirVPN server addresses is more complicated that I originally knew about, but with lots of research and uncountable reboots of my linux box, I think I have the glitches worked out.

This method has the requirement of the package ipset (sudo yum install ipset)

RHEL 6 and clones (Oracle Linux, ScientificLinux and Centos) do not have a kmod-ipset (That I could find).

The ip_set module has to be loaded manually as none of netfilter, iptables or conntrack call the module themselves. As far as I know some linux distros do have a kmod for ip_set so that would make using the sysconfig/ipset.conf not necessary and also throw a boot-time error (fatal nor not).

Probably just using the /etc/sysconfig/ipset-airvpn.sh and modification to the /init.d/iptables file file would be enough for those distros, but we'll see how testing goes with that (if anyone decides to try testing this on other distros).

The ip_set module has to be loaded and a script run to load the ip_set script (creates and contains the AirVPN server IP addresses)

so that there is a table to be read by the time iptables_restore runs (otherwise iptables_restore throws an error that no ipset "airvpn" exists).

So there are 3 files (The first two I created the last one is a system file that needs a modification):

1)

/etc/sysconfig/ipset.conf

This script file tests to see if the ip_set module is loaded already and loads it into the kernel (modprobe) if not.

2)

/etc/sysconfig/ipset-airvpn.sh

This file creates and fills the ip_set table of AirVPN server addresses. I haven't listed the servers, so that no-one can just open the file and get the server IPs. Add the ones you want where the a.b.c.d 's are. Add or subtract lines as necessary. I think I added enough buffers so that all the servers should be able to go into the table (which lives in RAM while the system is up and is lost at shutdown/re-start). After running the script use:

sudo ipset -L airvpn -to make sure all the servers you added to the script are there (It's easiest just to count the lines if you know how many servers you added in the first place), if not, change the part: hashsize 65536 to the next larger: hashsize 131,072 (doing this obviously eats up RAM, so don't change it unless you need to) and note that the hashsize can start at 1024 and double each time from there if you're only using one or two servers and have a need to conserve RAM, just change it down, re-run the script and sudo ipset -L airvpn again to check all your desired servers are listed and keep doubling it until they are. If anyone is wondering about the -exist, it's there incase of accidental duplication of an ip address, the script won't fail.

3)

/etc/init.d/iptables

This is the system file, so be careful; add 2 new lines that become line 55 and line 56:

# Load /etc/sysconfig/ipset-airvpn.sh to make the airvpn table

sh /etc/sysconfig/ipset-airvpn.sh

4)

Ok, that should be it, iptables and the "airvpn" ipset table should now survive a reboot with no errors. Test by rebooting, and trying internet access of any and /or several kind(s) before starting a VPN connection when the desktop is up. If it's working you will have no internet before starting a VPN connection, and be able to connect to any of the servers you added to ipset-airvpn.sh without open-vpn throwing an error (probably: write UDPv4 []: Operation not permitted (code=1)).

Let me know of any glitches or suggestions. I am familiar with some other linux distros so if anyone needs assistance with an issue on a different one, don't hesitate to ask. This coming week I will be very busy with a family commitment so I may not be able to help in a very timely manner, but I will have time here and there; just so everyone knows...lol

Note: take the .txt extension off of the 2 files and put them in the appropriate folders as listed above.

Regards,

jz

ipset-airvpn.sh_2013-01-21.txt

[jessez 3]

Hi,

Just a note that I noticed a non-fatal error on shutdown re: airvpn (the table) already exists. So for some reason the os is trying to remake the table while the system is in a shutdown process. I will post the reason when I figure it out.

jz

[jessez 3]

Hi all,

I just noticed one of the files did not attach itself, so here is that one.

jz

ipset.conf.txt

[jessez 3]

Hi,

I found the reason for the non-fatal error on shutdown. Attched is a revised version of the file with a minor adjustment to tell ipset not try to recreate the "airvpn" table if it already exists.

br,

jz

ipset-airvpn.sh_2013-01-27.txt

[jessez 3]

Hi All,

 

Well a few months of testing later; we had a blackout yesterday that broke some o/s system files or something that mashed the DE, so I ended up doing a complete wipe and reinstall of EL6.4 today.

 

I pleased to say that following my own guide (since I couldn't remember all the steps...lol. Getting old! haha), it all works as advertised.

 

I this will help all you RHEL, CentOS, ScientificLinux, etc, users (I actually am using the CERN specific SL6.4 with great results).

 

Best regards to all,

 

jz