Friday, March 29, 2013

Firewall Script for openSuSE and others

openSuSE and, I guess, Fedora have introduced their own firewall (iptables) configuration guis and services that try to make the job of configuring iptables easy.  While that might be useful in a standard desktop environment, I found that it didn't do much for my Virtualbox nat.

I couldn't create the masqerade rules very easily and I didn't want all the extensive rules governing types of ICMP traffic and logging.  As the SuSEfirewall2 service GUI didn't help and the configuration files were too complicated for this old school blogger, I decided to roll my own script.

On my system, I simply disable the SuSEfirewall2 service and then call this script on boot.

You can find this script and any changes I make to it on my github.  Of course, I won't be putting every rule I have in place online, that would be a crazy security risk.  I just wanted to show the basics that can be easily extended by adding more rules into the filter section.

#!/bin/bash
IPT=/usr/sbin/iptables

# Stop the system firewall
systemctl stop SuSEfirewall2.service

# Reset all
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

# set default policies
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP 

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# filter all all related and established (reply traffic)
$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# filter allow all traffic from vboxnet0 including new traffic.
$IPT -A INPUT -i vboxnet0 -j ACCEPT

# filter custom rules
$IPT -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

# forward traffic to and from vboxnet0
$IPT -A FORWARD -i vboxnet0 -j ACCEPT
$IPT -A FORWARD -o vboxnet0 -j ACCEPT

# postrouting so traffic from vboxnet appears to be from these devices.
$IPT -t nat -A POSTROUTING -s 192.168.56.0/24 -j MASQUERADE

# final rule to block inbound traffic
$IPT -A INPUT -j DROP
$IPT -A FORWARD -j DROP

# turn on ip_forward
sysctl net.ipv4.ip_forward=1

# turn on dnsmasq
systemctl start dnsmasq