Jump to content
Not connected, Your IP: 3.147.65.111
Sign in to follow this  
jessez

IPtables(Linux) script to set up firewall easily

Recommended Posts

Hi all,
This is a request for comment on the shell script that sets up IP tables (linux) automatically once you add some details as noted in the script.
Don't forget to run the script as root or using sudo.
Let me know if there are any glitches or you have suggestions of any kind.

Warm regards,
jz

 

Add: May 18, 2013:  I think it's been tested enough, but don't hesitate to comment if you wish

 

jz

Share this post


Link to post

Hi all,

I created a script to set up the Iptables firewall easily, you just have to set some parameters in the script first (ie. adjust for your routers IP address and add the AirVPN server IP's that you want) I tried to do as complete documentation as possible given I've been working on this for the last many hours.

Any questons or sugeetions of any kind are welcome.

Don't forget to change the file extention to .sh and run it as root or using sudo.

Best regards,

jz

iptables-airvpn.txt

Share this post


Link to post

Hi jessez,

about DHCP:
 

# Allow access to DHCP server - I don't use DHCP, so uncomment if you do
# iptables -A INPUT -s 255.255.255.255/32 -j ACCEPT
# iptables -A OUTPUT -s 255.255.255.255/32 -j ACCEPT


the second rule should be changed into:

iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT


Kind regards

Share this post


Link to post

I had a thought that I should post the flush script, in case anyone can't get the firewall working properly and needs to get internet access to do more research or get help.

Again run as root or use sudo, after taking the .txt extention off the file.

jz

flushIPtables.sh.txt

Share this post


Link to post

Hi all, I have screwed up and have two seperate post going on this topic, my apologies. I think everything should go in this one from here.

Well as it turns out the method I used to make a list of usable AirVPN server addresses is more complicated that I originally knew about, but with lots of research and uncountable reboots of my linux box, I think I have the glitches worked out.

This method has the requirement of the package ipset (sudo yum install ipset)

RHEL 6 and clones (Oracle Linux, ScientificLinux and Centos) do not have a kmod-ipset (That I could find).

The ip_set module has to be loaded manually as none of netfilter, iptables or conntrack call the module themselves. As far as I know some linux distros do have a kmod for ip_set so that would make using the sysconfig/ipset.conf not necessary and also throw a boot-time error (fatal nor not).

Probably just using the /etc/sysconfig/ipset-airvpn.sh and modification to the /init.d/iptables file file would be enough for those distros, but we'll see how testing goes with that (if anyone decides to try testing this on other distros).

The ip_set module has to be loaded and a script run to load the ip_set script (creates and contains the AirVPN server IP addresses)

so that there is a table to be read by the time iptables_restore runs (otherwise iptables_restore throws an error that no ipset "airvpn" exists).

So there are 3 files (The first two I created the last one is a system file that needs a modification):

1)

/etc/sysconfig/ipset.conf

This script file tests to see if the ip_set module is loaded already and loads it into the kernel (modprobe) if not.

2)

/etc/sysconfig/ipset-airvpn.sh

This file creates and fills the ip_set table of AirVPN server addresses. I haven't listed the servers, so that no-one can just open the file and get the server IPs. Add the ones you want where the a.b.c.d 's are. Add or subtract lines as necessary. I think I added enough buffers so that all the servers should be able to go into the table (which lives in RAM while the system is up and is lost at shutdown/re-start). After running the script use:

sudo ipset -L airvpn -to make sure all the servers you added to the script are there (It's easiest just to count the lines if you know how many servers you added in the first place), if not, change the part: hashsize 65536 to the next larger: hashsize 131,072 (doing this obviously eats up RAM, so don't change it unless you need to) and note that the hashsize can start at 1024 and double each time from there if you're only using one or two servers and have a need to conserve RAM, just change it down, re-run the script and sudo ipset -L airvpn again to check all your desired servers are listed and keep doubling it until they are. If anyone is wondering about the -exist, it's there incase of accidental duplication of an ip address, the script won't fail.

3)

/etc/init.d/iptables

This is the system file, so be careful; add 2 new lines that become line 55 and line 56:

# Load /etc/sysconfig/ipset-airvpn.sh to make the airvpn table

sh /etc/sysconfig/ipset-airvpn.sh

4)

Ok, that should be it, iptables and the "airvpn" ipset table should now survive a reboot with no errors. Test by rebooting, and trying internet access of any and /or several kind(s) before starting a VPN connection when the desktop is up. If it's working you will have no internet before starting a VPN connection, and be able to connect to any of the servers you added to ipset-airvpn.sh without open-vpn throwing an error (probably: write UDPv4 []: Operation not permitted (code=1)).

Let me know of any glitches or suggestions. I am familiar with some other linux distros so if anyone needs assistance with an issue on a different one, don't hesitate to ask. This coming week I will be very busy with a family commitment so I may not be able to help in a very timely manner, but I will have time here and there; just so everyone knows...lol

Note: take the .txt extension off of the 2 files and put them in the appropriate folders as listed above.

Regards,

jz

ipset-airvpn.sh_2013-01-21.txt

Share this post


Link to post

Hi,

Just a note that I noticed a non-fatal error on shutdown re: airvpn (the table) already exists. So for some reason the os is trying to remake the table while the system is in a shutdown process. I will post the reason when I figure it out.

jz

Share this post


Link to post

Hi,

I found the reason for the non-fatal error on shutdown. Attched is a revised version of the file with a minor adjustment to tell ipset not try to recreate the "airvpn" table if it already exists.

br,

jz

ipset-airvpn.sh_2013-01-27.txt

Share this post


Link to post

Hi All,

 

Well a few months of testing later; we had a blackout yesterday that broke some o/s system files or something that mashed the DE, so I ended up doing a complete wipe and reinstall of EL6.4 today.

 

I pleased to say that following my own guide (since I couldn't remember all the steps...lol. Getting old! haha), it all works as advertised.

 

I this will help all you RHEL, CentOS, ScientificLinux, etc, users (I actually am using the CERN specific SL6.4 with great results).

 

Best regards to all,

 

jz

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...