| A Firewall Install Script | ||
|---|---|---|
 | Part VIII. Network-related (also firewall, router, wireless) |  |
| A Firewall Install Script | ||
|---|---|---|
| | Part VIII. Network-related (also firewall, router, wireless) | |
June 2008
Remotely turning on a firewall always carries the risk of locking yourself out.
Rather than properly stealing a script, I made my own.
It has features attractive to me: before installing a new firewall, it checks whether I can still work when the new configuration is active. And it can often be used stand-alone (with just the binaries it needs, but no additional config) on fresh installations[29].
It has a --help option, but basic usage is:
Get the script and put it in /usr/local/bin or the like.
wget -P /usr/local/bin http://www.cs.rug.nl/~jurjen/scripts/firewall \
&& chmod a+x /usr/local/bin/firewall
Create the config directory for the script:
mkdir /etc/firewall
Usually this is not needed, but if your PATH is incomplete or if the script needs to run without it, create /etc/firewall/firewall.cfg, with paths to binaries the script needs.
IPTABLES=/sbin/iptables IPTABLES_SAVE=/usr/sbin/iptables-save IPTABLES_RESTORE=/usr/sbin/iptables-restore MD5SUM=/usr/bin/md5sum LN=/bin/ln MV=/bin/mv CP=/bin/cp RM=/bin/rm ECHO=/bin/echo CAT=/bin/cat TTY=/usr/bin/tty AWK=/usr/bin/awk TRUE=/bin/true FALSE=/bin/false EGREP=/usr/bin/egrep GREP=/usr/bin/grep BASENAME=/usr/bin/basename DATE=/bin/date SLEEP=/bin/sleep KILL=/bin/kill TOUCH=/usr/bin/touch WC=/usr/bin/wc WHICH=/usr/bin/which
Run the script to see whether it works:
firewall status
firewall is off
Install your first firewall ruleset:
Configure the firewall by some other means (e.g. by hand-typing iptables commands), and save the configuration
![[Note]](include/images/admon/note.png) | Note |
|---|---|
Note that saving an empty ruleset won't succeed. You actually have to configure something, anything |
:
iptables -I INPUT 1 -p tcp -s 10.10.10.10 -j DROP
firewall save
Once there is a configuration, you can also load earlier iptables dumps:
firewall -t iptables-save-output-file update
Or you can control a script that installs a firewall:
firewall -s firewall-generating-script update
| Note |
|---|---|
|
The firewall script also has some diagnostics. For example, to figure out whether the firewall currently running is according to the last stored configuration: firewall analyze. |
![[Warning]](include/images/admon/warning.png) | Warning |
|---|---|
|
While the script does basic checking to make sure you can still press <ENTER> after starting the firewall, it doesn't check to see if you can log out, and ssh back to the machine under scrutiny. |