Setting Up An Iptables Firewall On Ubuntu With Firehol

Want to support HowtoForge? Become a subscriber!
 
Submitted by PhilBieber (Contact Author) (Forums) on Wed, 2008-04-16 12:31. :: Ubuntu | Security

Setting Up An Iptables Firewall On Ubuntu With Firehol

Introduction

FireHOL is a stateful iptables packet filtering firewall configurator. It is abstracted, extensible, easy and powerful. It can handle any kind of firewall, but most importantly, it gives you the means to configure it, the same way you think of it.
- firehol.sourceforge.net

Everybody, who tried to configure an iptables firewall knows, that it can be quite a PITA. firehol is a tool that helps us to configure iptables according to our needs. In this How-To, I will discribe how to set up an iptables firewal using firehol that only allows SSH and ICMP (the protocol responsible for ping and traceroute). Also, only incoming connections are filtered, and outgoing connections are allowed. Here we go:

 

Step One - Installing firehol

Installing firehol is quite easy, as it is in the official repositories. Just open a terminal and do a

sudo aptitude install firehol

and you're all ready. Don't close your terminal, because we will need it some more.

 

Step Two - Setting firehol up

We have to edit two files. First, we have to enable firehol. Open and edit the file /etc/default/firehol, e.g. with VIM:

sudo vim /etc/default/firehol

Change the first line from

START_FIREHOL=NO

to

START_FIREHOL=YES

save and exit (in VIM, hit [ESC] and then ':wq').

Then we have to define the Firewall rules themselves:

sudo vim /etc/firehol/firehol.conf

Paste this part into the file:

version 5
# Accept all client traffic on any interface
interface any internet
        protection strong
        server "icmp ping ICMP ssh" accept
        client all accept

This filters all incoming connetions that are not related to SSH or ICMP. If you want to be less polite, you can drop them by adding

policy drop

after 'protection strong'.

 

Starting and Fixing firehol

To start firehol just enter

sudo /etc/init.d/firehol start

and DON'T panic if you get a rather long error message. That is related to a bug currently in Ubuntu. To fix it, just enter the following sequence of commmands:

sudo sed 's/%q/%b/g' /lib/firehol/firehol > TMPFILE
sudo cp /lib/firehol/firehol /lib/firehol/firehol.backup
sudo mv TMPFILE /lib/firehol/firehol
sudo chmod 744 /lib/firehol/firehol

and now try it again:

sudo /etc/init.d/firehol start

And now your computer won't accept connections from the outside unless it's a ping request, traceroute or ssh.

Have fun!


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by foilpan (registered user) on Sat, 2008-04-19 14:29.

instead of the copy, you can use this to get it done in one line:

sed -i .backup -e 's/%q/%b/g' /lib/firehol/firehol