This simple guide provides an easy way to set up a firewall that loads automatically within Ubuntu. If you are looking for more detailed informations about iptables and Ubuntu security, probably this article is not what you should read. However, it is based on this IPTables HowTo taken from the Ubuntu community documentation. I highly advice having a look at the source if you need any further insight in this topic.

Defining the rules

Before we start, remember you can have a look at what iptables is doing with:

sudo iptables -L -v

You might want to use it while performing the following steps to get a better idea about what is going on.

To begin with, let's block all incoming traffic and everything that passes through with:

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP

We need to make sure that incoming loopback traffic isn't blocked, or our system might not work properly:

sudo iptables -A INPUT -i lo -j ACCEPT

Next, we want to be able to browse the internet with Firefox, chat with Pidgin, etcetera. Thus, we need to issue this command:

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

We are already done! Anyway, we might want to have some specific port unlocked. For istance, let's say that we would like to download the latest .iso available for Ubuntu through BitTorrent. In this case we would need to define a rule in order to have its ports unlocked by iptables:

sudo iptables -A INPUT -p tcp --dport 6881:6889 -j ACCEPT

Saving the rules

Ubuntu isn't going to remember the commands you issued the next time you boot. In order to set up our firewall, we need to perform a few more steps. The first one is to save the rules we have defined:

sudo sh -c "iptables-save > /etc/iptables.rules"

Next, edit /etc/network/interfaces:

sudo gedit /etc/network/interfaces

And add this text:

# text added for the firewall

pre-up iptables-restore < /etc/iptables.rules
post-down iptables-restore < /etc/iptables.rules


Finally, edit /etc/NetworkManager/dispatcher.d/01firewall:

sudo gedit /etc/NetworkManager/dispatcher.d/01firewall

Copy and paste this script:

#!/bin/bash

if [ -x /usr/bin/logger ]; then
LOGGER="/usr/bin/logger -s -p daemon.info -t FirewallHandler"
else
LOGGER=echo
fi

case "$2" in
pre-up)
if [ ! -r /etc/iptables.rules ]; then
${LOGGER} "No iptables rules exist to restore."
return
fi
if [ ! -x /sbin/iptables-restore ]; then
${LOGGER} "No program exists to restore iptables rules."
return
fi
${LOGGER} "Restoring iptables rules"
/sbin/iptables-restore -c < /etc/iptables.rules
;;
post-down)
if [ ! -x /sbin/iptables-save ]; then
${LOGGER} "No program exists to save iptables rules."
return
fi
${LOGGER} "Saving iptables rules."
/sbin/iptables-save -c > /etc/iptables.rules
;;
*)
;;
esac

And make sure NetworkManager is able to execute it:

sudo chmod +x /etc/NetworkManager/dispatcher.d/01firewall

You will now be able to restart your computer without losing the set of rules you have defined.

Updating the filters

If you want to remove a rule, the easiest way is probably to go and edit the /etc/iptables.rules file, deleting the lines related to the rules you no longer want applied.

If you want to define another rule, just do it from a terminal, and then save down the configuration as you did before: /etc/iptables.rules will be overwritten with the new informations.

Notes

This guide was tested on a desktop system powered by Ubuntu 7.10.