vi /root/firewall.start
2. make another script to flush all rules and allow all connections
vi /root/firewall.stop
--
echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
3. chmod 700 /root/firewall.*
4. load rules
sudo /root/firewall.start
5. use iptables.save to save rules as a formatting file for iptables-restore
sudo sh -c "iptables-save > /etc/iptables.rules"
# restore rules with iptables-restore
# sudo iptables-restore < /etc/iptables.rules
6. to restore configuration on startup, the suggested method is to use ifup.d networking scripts, which are executed on state changes of the network interfaces.
sudo vi /etc/network/if-pre-up.d/iptables
--
#!/bin/sh
# Load iptables rules before interfaces are brought online
# This ensures that we are always protected by the firewall
#
# Note: if bad rules are inadvertently (or purposely) saved it could block
# access to the server except via the serial tty interface.
#
RESTORE=/sbin/iptables-restore
STAT=/usr/bin/stat
IPSTATE=/etc/iptables.rules
test -x $RESTORE || exit 0
test -x $STAT || exit 0
# Check permissions and ownership (rw------- for root)
if test `$STAT --format="%a" $IPSTATE` -ne "600"; then
echo "Permissions for $IPSTATE must be 600 (rw-------)"
exit 0
fi
# Since only the owner can read/write to the file, we can trust that it is
# secure. We need not worry about group permissions since they should be
# zeroed per our previous check; but we must make sure root owns it.
if test `$STAT --format="%u" $IPSTATE` -ne "0"; then
echo "The superuser must have ownership for $IPSTATE (uid 0)"
exit 0
fi
# Now we are ready to restore the tables
$RESTORE < $IPSTATE
7. make the rules safer with permission change and make this script executable
sudo chmod 600 /etc/iptables.rules
sudo chmod +x /etc/network/if-pre-up.d/iptables
沒有留言:
張貼留言