SlideShare a Scribd company logo

Creating a firewall in UBUNTU

Download as DOCX, PDF
Mumbai University
Mumbai University

creating using Firewall

Engineering
1 of 14
N.T.A.LMini Project 1 Abstract:- A firewall is a device that allows multiple networks to communicate with one another according to a defined security policy. They are used when there is a need for networks of varying levels of trust to communicate with one another. For example, a firewall typically exists between a corporate network and a public network like the Internet. It can also be used inside a private network to limit access to different parts of the network. Wherever there are different levels of trust among the different parts of a network, a firewall can and should be used. Firewalls are similar to routers in that they connect networks together. Firewall software runs on a host, which is connected to both trusted and untrusted networks. The host operating system is responsible for performing routing functions, which many operating systems are capable of doing. The host operating system should be as secure as possible prior to installing the firewall software. This not only means knowing how the operating system was installed but also making sure that all of the security patches are applied and that unnecessary services and features are disabled or removed.. Firewalls are different from routers in that they are able to provide security mechanisms for permitting and denying traffic, such as authentication, encryption, content security, and address translation. Although many routers provide similar capabilities (such as high-end devices from Cisco), their primary function is to route packets between networks. Security was not part of their initial design but rather an afterthought. A firewall's primary function is to enforce a security policy, and it is designed with this in mind. By convention, some ports are routinely used for particular types of applications. For example, port 80 is generally used for insecure web browsing and port 443 is used for secure web browsing. The Linux kernel includes the netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your computer. All modern Linux firewall solutions use this system for packet filtering. The kernel's packet filtering system would be of little use to users or administrators without a user interface with which to manage it. This is the purpose of iptables. When a packet reaches your computer, it is handed off to the netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it via iptables. Thus, iptables is all you need to manage your firewall.
N.T.A.LMini Project 2 Introduction Ubuntu has a firewall included in the Kernel, and is running by default. What you need to manage this firewall are the iptables. But this are complicated to manage, so you can use UFW (uncomplicated firewall) to configure them. But UFW is still something hard for normal users, so what you can do is install GUFW that is just a graphical front end for UFW. If you use GUFW, the first time you will see at the bottom of the window 'Disabled Firewall'. But this is not true, your firewall is already running. This enable/disable message refers to the rules set with UFW, not to the firewall. Gufw is an easy, intuitive, way to manage your Ubuntu firewall, powered by ufw. It supports common tasks such as allowing or blocking pre-configured services, common P2P, or individual IP/port(s), and many others. Managing the Firewall :- iptables Iptables is the database of firewall rules and is the actual firewall used in Linux systems. The traditional interface for configuring iptables in Linux systems is the command-line interface terminal. The other utilities in this section simplify the manipulation of the iptables database. UFW UFW (Uncomplicated Firewall) is a front-end for iptables and is particularly well-suited for host-based firewalls. UFW was developed specifically for Ubuntu (but is available in other distributions), and is also configured from the terminal. Gufw is a graphical front-end to UFW, and is recommended for beginners. UFW was introduced in Ubuntu 8.04 LTS (Hardy Heron), and is available by default in all Ubuntu installations after 8.04 LTS. Guarddog Guarddog is a front-end for iptables that functions in KDE-based desktops, such as Kubuntu. It has a greater deal of complexity (and flexibility, perhaps).
N.T.A.LMini Project 3 Basic iptables Commands Now that you have a good understanding of iptables concepts, we should cover the basic commands that will be used to form complex rule sets and to manage the iptables interface in general. First, you should be aware that iptables commands must be run with root privileges. This means you need to log in as root, use su or sudo -i to gain a root shell, or precede all commands with sudo. We are going to use sudo in this guide since that is the preferred method on an Ubuntu system. A good starting point is to list the current rules that are configured for iptables. You can do that with the -L flag:  sudo iptables -L We have our three default chains (INPUT,OUTPUT, and FORWARD). We also can see each chain's default policy (each chain has ACCEPT as its default policy). We also see some column headers, but we don't see any actual rules. This is because Ubuntu doesn't ship with a default rule set. We can see the output in a format that reflects the commands necessary to enable each rule and policy by instead using the -S flag:  sudo iptables –S Making Rule to create firewall We're going to start to build our firewall policies. As we said above, we're going to be working with the INPUT chain since that is the funnel that incoming traffic will be sent through. We are going to start with the rule that we've talked about a bit above: the rule that explicitly accepts your current SSH connection.The full rule we need is this: sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT  This may look incredibly complicated, but most of it will make sense when we go over the components:
N.T.A.LMini Project 4  -A INPUT: The -A flag appends a rule to the end of a chain. This is the portion of the command that tells iptables that we wish to add a new rule, that we want that rule added to the end of the chain, and that the chain we want to operate on is the INPUT chain.  -m conntrack: iptables has a set of core functionality, but also has a set of extensions or modules that provide extra capabilities. In this portion of the command, we're stating that we wish to have access to the functionality provided by the conntrack module. This module gives access to commands that can be used to make decisions based on the packet's relationship to previous connections.  --ctstate: This is one of the commands made available by calling the conntrack module. This command allows us to match packets based on how they are related to packets we've seen before.We pass it the value of ESTABLISHED to allow packets that are part of an existing connection. We pass it the value of RELATED to allow packets that are associated with an established connection. This is the portion of the rule that matches our current SSH session.  -j ACCEPT: This specifies the target of matching packets. Here, we tell iptables that packets that match the preceding criteria should be accepted and allowed through. We put this rule at the beginning because we want to make sure the connections we are already using are matched, accepted, and pulled out of the chain before reaching any DROP rules. We can see the changes if we list the rules:  sudo iptables –L Accept Other Necessary Connections We have told iptables to keep open any connections that are already open and to allow new connections related to those connections. However, we need to create some rules to establish when we want to accept new connections that don't meet those criteria. We want to keep two ports open specifically. We want to keep our SSH port open (we're going to assume in this guide that this is the default 22. If you've changed this in your SSH configuration, modify your value here). We are also going to assume that this
N.T.A.LMini Project 5 computer is running a web server on the default port 80. If this is not the case for you, you don't have to add that rule. The two lines we're going to use to add these rules are:  sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT   sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT  As you can see, these are very similar to our first rule, but perhaps more simple. The new options are:  -p tcp: This option matches packets if the protocol being used is TCP. This is a connection-based protocol that will be used by most applications because it allows for reliable communication.  --dport: This option is available if the -p tcp flag is given. It gives a further requirement of matching the destination port for the matching packet. The first rule matches for TCP packets destined for port 22, while the second rule matches TCP traffic pointed towards port 80. There is one more accept rule that we need to ensure that our server can function correctly. Often, services on the computer communicate with each other by sending network packets to each other. They do this by utilizing a pseudo network interface called the loopback device, which directs traffic back to itself rather than to other computers. So if one service wants to communicate with another service that is listening for connections on port 4555, it can send a packet to port 4555 of the loopback device. We want this type of behavior to be allowed, because it is essential for the correct operation of many programs. The rule we need to add is this:  sudo iptables -I INPUT 1 -i lo -j ACCEPT  This looks a bit different than our other commands. Let's go over what it is doing:
N.T.A.LMini Project 6  -I INPUT 1: The -I flag tells iptables to insert a rule. This is different than the - A flag which appends a rule to the end. The -I flag takes a chain and the rule position where you want to insert the new rule. In this case, we're adding this rule as the very first rule of the INPUT chain. This will bump the rest of the rules down. We want this at the top because it is fundamental and should not be affected by subsequent rules.  -i lo: This component of the rule matches if the interface that the packet is using is the "lo" interface. The "lo" interface is another name for the loopback device. This means that any packet using that interface to communicate (packets generated on our server, for our server) should be accepted. To see our current rules, we should use the -S flag. This is because the -L flag doesn't include some information, like the interface that a rule is tied to, which is an important part of the rule we just added:  sudo iptables –S Implementing a Drop Rule We now have four separate rules that explicitly accept packets based on certain criteria. However, our firewall currently is not blocking anything. If a packet enters the INPUT chain and doesn't match one of the four rules that we made, it is being passed to our default policy, which is to accept the packet anyways. We need to change this. There are two different ways that we can do this, with some pretty important differences. The first way we could do this is to modify the default policy of our INPUT chain. We can do this by typing:  sudo iptables -P INPUT DROP
N.T.A.LMini Project 7  This will catch any packets that fall through our INPUT chain, and drop them. This is what we call a default drop policy. One of the implications of this type of a design is that it falls back on dropping packets if the rules are flushed. You may like your server to automatically drop all connections in the event that the rules are dumped. This would prevent your server from being left wide open. This also means that you can easily append rules to the bottom of the chain easily while still dropping packets as you'd like.If you changed the default policy for the INPUT chain above, you can set it back to follow along by typing:  sudo iptables -P INPUT ACCEPT  Now, you can add a rule to the bottom of the chain that will drop any remaining packets:  sudo iptables -A INPUT -j DROP  The result under normal operating conditions is exactly the same as a default drop policy. This rule works by matching every remaining packet that reaches it. This prevents a packet from ever dropping all of the way through the chain to reach the default policy. Basically, this is used to keep the default policy to accept traffic. That way, if there are any problems and the rules are flushed, you will still be able to access the machine over the network. This is a way of implementing a default action without altering the policy that will be applied to an empty chain. Of course, this also means that any rule that any additional rule that you wish to add to the end of the chain will have to be added before the drop rule. You can do this either by temporarily removing the drop rule:  sudo iptables -D INPUT -j DROP  sudo iptables -A INPUT new_rule_here  sudo iptables -A INPUT -j DROP  Or, you can insert rules that you need at the end of the chain (but prior to the drop) by specifying the line number. To insert a rule at line number 4, you could type:  sudo iptables -I INPUT 4 new_rule_here If you are having trouble knowing which line number each rule is, you can tell iptables to number the rules by typing:  sudo iptables -L --line-numbers
N.T.A.LMini Project 8 Saving your Iptables Configuration By default, the rules that you add to iptables are ephemeral. This means that when you restart your server, your iptables rules will be gone. This is actually a feature for some user because it gives them an avenue to get back in if they have accidentally locked themselves out of the server. However, most users will want a way to automatically save the rules you have created and to load them when the server starts. There are a few ways to do this, but the easiest way is with the iptables- persistent package. You can download this from Ubuntu's default repositories:  sudo apt-get update  sudo apt-get install iptables-persistent During the installation, you will be asked if you would like to save your current rules to be automatically loaded. If you are happy with your current configuration (and you have tested your ability to create independent SSH connections, you can select to save your current rules.Once the installation is complete, you will have a new service called iptables-persistent that is configured to run at boot. This service will load in your rules and apply them when the server is started.
N.T.A.LMini Project 9 Outputs:- Firewall IPaddress
N.T.A.LMini Project 10 Iptables IPaddress
N.T.A.LMini Project 11
N.T.A.LMini Project 12 Telnet
N.T.A.LMini Project 13 Firewall Before applying firewall After applying firewall
N.T.A.LMini Project 14 Conclusion Thus by using the Linux codes we are able to create our own firewall as per our needs. There are many other firewall utilities and some that may be easier, but iptables is a good learning tool, if only because it exposes some of the underlying netfilter structure and because it is present in so many systems. Reference 1.https://help.ubuntu.com/lts/serverguide/firewall.html 2. https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw- on-an-ubuntu-and-debian-cloud-server

Recommended

Iptables presentation
Iptables presentationIptables presentation
Iptables presentationEmin Abdul Azeez
 
Iptables Configuration
Iptables ConfigurationIptables Configuration
Iptables Configurationstom123
 
Fcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall NatFcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall Natnarayannpp
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEamiable_indian
 
introduction of iptables in linux
introduction of iptables in linuxintroduction of iptables in linux
introduction of iptables in linuxNouman Baloch
 
Security Onion Advance
Security Onion AdvanceSecurity Onion Advance
Security Onion AdvanceKaustubh Padwad
 
Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall Syed fawad Gillani
 
Ip tables
Ip tablesIp tables
Ip tablesnavid ashrafi
 

Recommended

Iptables presentation
Iptables presentationIptables presentation
Iptables presentationEmin Abdul Azeez
 
Iptables Configuration
Iptables ConfigurationIptables Configuration
Iptables Configurationstom123
 
Fcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall NatFcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall Natnarayannpp
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEamiable_indian
 
introduction of iptables in linux
introduction of iptables in linuxintroduction of iptables in linux
introduction of iptables in linuxNouman Baloch
 
Security Onion Advance
Security Onion AdvanceSecurity Onion Advance
Security Onion AdvanceKaustubh Padwad
 
Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall Syed fawad Gillani
 
Ip tables
Ip tablesIp tables
Ip tablesnavid ashrafi
 
Basics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesBasics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesPrzemysław Piotrowski
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linuxMandeep Singh
 
05 06 ike
05 06 ike05 06 ike
05 06 ikeBabaa Naya
 
Introduction to firewalls through Iptables
Introduction to firewalls through IptablesIntroduction to firewalls through Iptables
Introduction to firewalls through IptablesBud Siddhisena
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalMusa Stephen HONLUE
 
Using metasploit
Using metasploitUsing metasploit
Using metasploitCyberRad
 
IP tables
IP tablesIP tables
IP tablesaamodt
 
Pertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemPertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemnewbie2019
 
IPV6 Under the Hood
IPV6 Under the HoodIPV6 Under the Hood
IPV6 Under the Hoodamiable_indian
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationVinoth Sivasubramanan
 
IPTables Primer - Part 2
IPTables Primer - Part 2IPTables Primer - Part 2
IPTables Primer - Part 2Nishanth Kumar Pathi
 
Iptables
IptablesIptables
Iptablesleminhvuong
 
IP Tables Primer - Part 1
IP Tables Primer - Part 1IP Tables Primer - Part 1
IP Tables Primer - Part 1n|u - The Open Security Community
 
Asfws2014 tproxy
Asfws2014 tproxyAsfws2014 tproxy
Asfws2014 tproxyCyber Security Alliance
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)Martin Schütte
 
Netfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scaleNetfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scalebrouer
 
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)Martin Schütte
 
Iptables fundamentals
Iptables fundamentalsIptables fundamentals
Iptables fundamentalsram_b17
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-TutorialVladimir Koychev
 
Snort
SnortSnort
SnortMichael Boman
 
Firewall opensource et gestion de configuration pour l'infrastructure
Firewall opensource et gestion de configuration pour l'infrastructureFirewall opensource et gestion de configuration pour l'infrastructure
Firewall opensource et gestion de configuration pour l'infrastructureJohan Moreau
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Disha Bedi
 

More Related Content

What's hot

Basics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesBasics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesPrzemysław Piotrowski
 
Introduction to firewalls through Iptables
Introduction to firewalls through IptablesIntroduction to firewalls through Iptables
Introduction to firewalls through IptablesBud Siddhisena
 
Using metasploit
Using metasploitUsing metasploit
Using metasploitCyberRad
 
IP tables
IP tablesIP tables
IP tablesaamodt
 
Pertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemPertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemnewbie2019
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationVinoth Sivasubramanan
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)Martin Schütte
 
Netfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scaleNetfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scalebrouer
 
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)Martin Schütte
 
Iptables fundamentals
Iptables fundamentalsIptables fundamentals
Iptables fundamentalsram_b17
 

What's hot (20)

Basics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesBasics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptables
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linux
 
05 06 ike
05 06 ike05 06 ike
05 06 ike
 
Introduction to firewalls through Iptables
Introduction to firewalls through IptablesIntroduction to firewalls through Iptables
Introduction to firewalls through Iptables
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
 
Using metasploit
Using metasploitUsing metasploit
Using metasploit
 
IP tables
IP tablesIP tables
IP tables
 
Pertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemPertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection system
 
IPV6 Under the Hood
IPV6 Under the HoodIPV6 Under the Hood
IPV6 Under the Hood
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai Presentation
 
IPTables Primer - Part 2
IPTables Primer - Part 2IPTables Primer - Part 2
IPTables Primer - Part 2
 
Iptables
IptablesIptables
Iptables
 
IP Tables Primer - Part 1
IP Tables Primer - Part 1IP Tables Primer - Part 1
IP Tables Primer - Part 1
 
Asfws2014 tproxy
Asfws2014 tproxyAsfws2014 tproxy
Asfws2014 tproxy
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
 
Netfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scaleNetfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scale
 
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
 
Iptables fundamentals
Iptables fundamentalsIptables fundamentals
Iptables fundamentals
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
 
Snort
SnortSnort
Snort
 

Viewers also liked

Firewall opensource et gestion de configuration pour l'infrastructure
Firewall opensource et gestion de configuration pour l'infrastructureFirewall opensource et gestion de configuration pour l'infrastructure
Firewall opensource et gestion de configuration pour l'infrastructureJohan Moreau
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Disha Bedi
 
Pf sense firewall
Pf sense firewallPf sense firewall
Pf sense firewallQuan Tâm
 
pfSense presentation
pfSense presentationpfSense presentation
pfSense presentationSimon Vass
 
TÌM HIỂU FIREWALL VÀ TRIỂN KHAI TRÊN MÃ NGUỒN MỞ
TÌM HIỂU FIREWALL VÀ TRIỂN KHAI TRÊN MÃ NGUỒN MỞTÌM HIỂU FIREWALL VÀ TRIỂN KHAI TRÊN MÃ NGUỒN MỞ
TÌM HIỂU FIREWALL VÀ TRIỂN KHAI TRÊN MÃ NGUỒN MỞTiki.vn
 
Ubuntu
UbuntuUbuntu
Ubuntuessa
 
pfSense, OpenSource Firewall
pfSense, OpenSource FirewallpfSense, OpenSource Firewall
pfSense, OpenSource FirewallErik Kirschner
 
pfSense firewall workshop guide
pfSense firewall workshop guidepfSense firewall workshop guide
pfSense firewall workshop guideSopon Tumchota
 
Installation et Configuration de Pfsense
Installation et Configuration de PfsenseInstallation et Configuration de Pfsense
Installation et Configuration de PfsenseIsmail Rachdaoui
 
sécurité informatique
sécurité informatiquesécurité informatique
sécurité informatiqueMohammed Zaoui
 

Viewers also liked (13)

Firewall opensource et gestion de configuration pour l'infrastructure
Firewall opensource et gestion de configuration pour l'infrastructureFirewall opensource et gestion de configuration pour l'infrastructure
Firewall opensource et gestion de configuration pour l'infrastructure
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
 
firewall
firewallfirewall
firewall
 
Tường lửa ip cop
Tường lửa ip copTường lửa ip cop
Tường lửa ip cop
 
Pf sense firewall
Pf sense firewallPf sense firewall
Pf sense firewall
 
pfSense presentation
pfSense presentationpfSense presentation
pfSense presentation
 
TÌM HIỂU FIREWALL VÀ TRIỂN KHAI TRÊN MÃ NGUỒN MỞ
TÌM HIỂU FIREWALL VÀ TRIỂN KHAI TRÊN MÃ NGUỒN MỞTÌM HIỂU FIREWALL VÀ TRIỂN KHAI TRÊN MÃ NGUỒN MỞ
TÌM HIỂU FIREWALL VÀ TRIỂN KHAI TRÊN MÃ NGUỒN MỞ
 
Ubuntu
UbuntuUbuntu
Ubuntu
 
pfSense, OpenSource Firewall
pfSense, OpenSource FirewallpfSense, OpenSource Firewall
pfSense, OpenSource Firewall
 
pfSense firewall workshop guide
pfSense firewall workshop guidepfSense firewall workshop guide
pfSense firewall workshop guide
 
Installation et Configuration de Pfsense
Installation et Configuration de PfsenseInstallation et Configuration de Pfsense
Installation et Configuration de Pfsense
 
Ubuntu OS Presentation
Ubuntu OS PresentationUbuntu OS Presentation
Ubuntu OS Presentation
 
sécurité informatique
sécurité informatiquesécurité informatique
sécurité informatique
 

Similar to Creating a firewall in UBUNTU

Configuration IPTables On CentOS 8
Configuration IPTables On CentOS 8Configuration IPTables On CentOS 8
Configuration IPTables On CentOS 8Kaan Aslandağ
 
IP Tables And Filtering
IP Tables And FilteringIP Tables And Filtering
IP Tables And FilteringSuperstarRr
 
SEED Labs – Linux Firewall Exploration Lab 1Linux Firewall.docx
SEED Labs – Linux Firewall Exploration Lab 1Linux Firewall.docxSEED Labs – Linux Firewall Exploration Lab 1Linux Firewall.docx
SEED Labs – Linux Firewall Exploration Lab 1Linux Firewall.docxjeffreye3
 
SEED Labs – Linux Firewall Exploration Lab 1Linux Firewall.docx
SEED Labs – Linux Firewall Exploration Lab 1Linux Firewall.docxSEED Labs – Linux Firewall Exploration Lab 1Linux Firewall.docx
SEED Labs – Linux Firewall Exploration Lab 1Linux Firewall.docxedgar6wallace88877
 
IPTABLES_linux_Firewall_Administration (1).pdf
IPTABLES_linux_Firewall_Administration (1).pdfIPTABLES_linux_Firewall_Administration (1).pdf
IPTABLES_linux_Firewall_Administration (1).pdfmpassword
 
Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8Kaan Aslandağ
 
CCNA Security configuration
CCNA Security configurationCCNA Security configuration
CCNA Security configurationRafat Khandaker
 
The Switch as a Server - PuppetConf 2014
The Switch as a Server - PuppetConf 2014The Switch as a Server - PuppetConf 2014
The Switch as a Server - PuppetConf 2014Puppet
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWallwebhostingguy
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWallwebhostingguy
 
IP tables and Filtering
IP tables and FilteringIP tables and Filtering
IP tables and FilteringAisha Talat
 
Firewalls rules using iptables in linux
Firewalls rules using iptables in linuxFirewalls rules using iptables in linux
Firewalls rules using iptables in linuxaamir lucky
 
Linux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic ControlLinux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic Controlsandy_vasan
 

Similar to Creating a firewall in UBUNTU (20)

Configuration IPTables On CentOS 8
Configuration IPTables On CentOS 8Configuration IPTables On CentOS 8
Configuration IPTables On CentOS 8
 
Firewall
FirewallFirewall
Firewall
 
IP Tables And Filtering
IP Tables And FilteringIP Tables And Filtering
IP Tables And Filtering
 
03 linuxfirewall1
03 linuxfirewall103 linuxfirewall1
03 linuxfirewall1
 
I ptable
I ptableI ptable
I ptable
 
SEED Labs – Linux Firewall Exploration Lab 1Linux Firewall.docx
SEED Labs – Linux Firewall Exploration Lab 1Linux Firewall.docxSEED Labs – Linux Firewall Exploration Lab 1Linux Firewall.docx
SEED Labs – Linux Firewall Exploration Lab 1Linux Firewall.docx
 
SEED Labs – Linux Firewall Exploration Lab 1Linux Firewall.docx
SEED Labs – Linux Firewall Exploration Lab 1Linux Firewall.docxSEED Labs – Linux Firewall Exploration Lab 1Linux Firewall.docx
SEED Labs – Linux Firewall Exploration Lab 1Linux Firewall.docx
 
IPS_3M_eng
IPS_3M_engIPS_3M_eng
IPS_3M_eng
 
IPTABLES_linux_Firewall_Administration (1).pdf
IPTABLES_linux_Firewall_Administration (1).pdfIPTABLES_linux_Firewall_Administration (1).pdf
IPTABLES_linux_Firewall_Administration (1).pdf
 
Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8
 
CCNA Security configuration
CCNA Security configurationCCNA Security configuration
CCNA Security configuration
 
The Switch as a Server - PuppetConf 2014
The Switch as a Server - PuppetConf 2014The Switch as a Server - PuppetConf 2014
The Switch as a Server - PuppetConf 2014
 
Firewall
FirewallFirewall
Firewall
 
Netw204 Quiz Answers Essay
Netw204 Quiz Answers EssayNetw204 Quiz Answers Essay
Netw204 Quiz Answers Essay
 
hakin9_6-2006_str22-33_snort_EN
hakin9_6-2006_str22-33_snort_ENhakin9_6-2006_str22-33_snort_EN
hakin9_6-2006_str22-33_snort_EN
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
 
IP tables and Filtering
IP tables and FilteringIP tables and Filtering
IP tables and Filtering
 
Firewalls rules using iptables in linux
Firewalls rules using iptables in linuxFirewalls rules using iptables in linux
Firewalls rules using iptables in linux
 
Linux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic ControlLinux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic Control
 

Recently uploaded

Virtual memory management in Operating System
Virtual memory management in Operating SystemVirtual memory management in Operating System
Virtual memory management in Operating SystemRashmi Bhat
 
Transport layer issues and challenges - Guide
Transport layer issues and challenges - GuideTransport layer issues and challenges - Guide
Transport layer issues and challenges - GuideGOPINATHS437943
 
"Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ..."Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ...Erbil Polytechnic University
 
Crushers to screens in aggregate production
Crushers to screens in aggregate productionCrushers to screens in aggregate production
Crushers to screens in aggregate productionChinnuNinan
 
11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdfHafizMudaserAhmad
 
multiple access in wireless communication
multiple access in wireless communicationmultiple access in wireless communication
multiple access in wireless communicationpanditadesh123
 
Engineering Drawing section of solid
Engineering Drawing section of solidEngineering Drawing section of solid
Engineering Drawing section of solidnamansinghjarodiya
 
Autonomous emergency braking system (aeb) ppt.ppt
Autonomous emergency braking system (aeb) ppt.pptAutonomous emergency braking system (aeb) ppt.ppt
Autonomous emergency braking system (aeb) ppt.pptbibisarnayak0
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptSAURABHKUMAR892774
 
Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptIndian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptMadan Karki
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONjhunlian
 
Crystal Structure analysis and detailed information pptx
Crystal Structure analysis and detailed information pptxCrystal Structure analysis and detailed information pptx
Crystal Structure analysis and detailed information pptxachiever3003
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...121011101441
 
Research Methodology for Engineering pdf
Research Methodology for Engineering pdfResearch Methodology for Engineering pdf
Research Methodology for Engineering pdfCaalaaAbdulkerim
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm Systemirfanmechengr
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvLewisJB
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating SystemRashmi Bhat
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 

Recently uploaded (20)

Virtual memory management in Operating System
Virtual memory management in Operating SystemVirtual memory management in Operating System
Virtual memory management in Operating System
 
Transport layer issues and challenges - Guide
Transport layer issues and challenges - GuideTransport layer issues and challenges - Guide
Transport layer issues and challenges - Guide
 
"Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ..."Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ...
 
Crushers to screens in aggregate production
Crushers to screens in aggregate productionCrushers to screens in aggregate production
Crushers to screens in aggregate production
 
11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf
 
multiple access in wireless communication
multiple access in wireless communicationmultiple access in wireless communication
multiple access in wireless communication
 
Engineering Drawing section of solid
Engineering Drawing section of solidEngineering Drawing section of solid
Engineering Drawing section of solid
 
Autonomous emergency braking system (aeb) ppt.ppt
Autonomous emergency braking system (aeb) ppt.pptAutonomous emergency braking system (aeb) ppt.ppt
Autonomous emergency braking system (aeb) ppt.ppt
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.ppt
 
Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptIndian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.ppt
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
 
Crystal Structure analysis and detailed information pptx
Crystal Structure analysis and detailed information pptxCrystal Structure analysis and detailed information pptx
Crystal Structure analysis and detailed information pptx
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...
 
Research Methodology for Engineering pdf
Research Methodology for Engineering pdfResearch Methodology for Engineering pdf
Research Methodology for Engineering pdf
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm System
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvv
 
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdfDesign and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating System
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 

Creating a firewall in UBUNTU

  • 1. N.T.A.LMini Project 1 Abstract:- A firewall is a device that allows multiple networks to communicate with one another according to a defined security policy. They are used when there is a need for networks of varying levels of trust to communicate with one another. For example, a firewall typically exists between a corporate network and a public network like the Internet. It can also be used inside a private network to limit access to different parts of the network. Wherever there are different levels of trust among the different parts of a network, a firewall can and should be used. Firewalls are similar to routers in that they connect networks together. Firewall software runs on a host, which is connected to both trusted and untrusted networks. The host operating system is responsible for performing routing functions, which many operating systems are capable of doing. The host operating system should be as secure as possible prior to installing the firewall software. This not only means knowing how the operating system was installed but also making sure that all of the security patches are applied and that unnecessary services and features are disabled or removed.. Firewalls are different from routers in that they are able to provide security mechanisms for permitting and denying traffic, such as authentication, encryption, content security, and address translation. Although many routers provide similar capabilities (such as high-end devices from Cisco), their primary function is to route packets between networks. Security was not part of their initial design but rather an afterthought. A firewall's primary function is to enforce a security policy, and it is designed with this in mind. By convention, some ports are routinely used for particular types of applications. For example, port 80 is generally used for insecure web browsing and port 443 is used for secure web browsing. The Linux kernel includes the netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your computer. All modern Linux firewall solutions use this system for packet filtering. The kernel's packet filtering system would be of little use to users or administrators without a user interface with which to manage it. This is the purpose of iptables. When a packet reaches your computer, it is handed off to the netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it via iptables. Thus, iptables is all you need to manage your firewall.
  • 2. N.T.A.LMini Project 2 Introduction Ubuntu has a firewall included in the Kernel, and is running by default. What you need to manage this firewall are the iptables. But this are complicated to manage, so you can use UFW (uncomplicated firewall) to configure them. But UFW is still something hard for normal users, so what you can do is install GUFW that is just a graphical front end for UFW. If you use GUFW, the first time you will see at the bottom of the window 'Disabled Firewall'. But this is not true, your firewall is already running. This enable/disable message refers to the rules set with UFW, not to the firewall. Gufw is an easy, intuitive, way to manage your Ubuntu firewall, powered by ufw. It supports common tasks such as allowing or blocking pre-configured services, common P2P, or individual IP/port(s), and many others. Managing the Firewall :- iptables Iptables is the database of firewall rules and is the actual firewall used in Linux systems. The traditional interface for configuring iptables in Linux systems is the command-line interface terminal. The other utilities in this section simplify the manipulation of the iptables database. UFW UFW (Uncomplicated Firewall) is a front-end for iptables and is particularly well-suited for host-based firewalls. UFW was developed specifically for Ubuntu (but is available in other distributions), and is also configured from the terminal. Gufw is a graphical front-end to UFW, and is recommended for beginners. UFW was introduced in Ubuntu 8.04 LTS (Hardy Heron), and is available by default in all Ubuntu installations after 8.04 LTS. Guarddog Guarddog is a front-end for iptables that functions in KDE-based desktops, such as Kubuntu. It has a greater deal of complexity (and flexibility, perhaps).
  • 3. N.T.A.LMini Project 3 Basic iptables Commands Now that you have a good understanding of iptables concepts, we should cover the basic commands that will be used to form complex rule sets and to manage the iptables interface in general. First, you should be aware that iptables commands must be run with root privileges. This means you need to log in as root, use su or sudo -i to gain a root shell, or precede all commands with sudo. We are going to use sudo in this guide since that is the preferred method on an Ubuntu system. A good starting point is to list the current rules that are configured for iptables. You can do that with the -L flag:  sudo iptables -L We have our three default chains (INPUT,OUTPUT, and FORWARD). We also can see each chain's default policy (each chain has ACCEPT as its default policy). We also see some column headers, but we don't see any actual rules. This is because Ubuntu doesn't ship with a default rule set. We can see the output in a format that reflects the commands necessary to enable each rule and policy by instead using the -S flag:  sudo iptables –S Making Rule to create firewall We're going to start to build our firewall policies. As we said above, we're going to be working with the INPUT chain since that is the funnel that incoming traffic will be sent through. We are going to start with the rule that we've talked about a bit above: the rule that explicitly accepts your current SSH connection.The full rule we need is this: sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT  This may look incredibly complicated, but most of it will make sense when we go over the components:
  • 4. N.T.A.LMini Project 4  -A INPUT: The -A flag appends a rule to the end of a chain. This is the portion of the command that tells iptables that we wish to add a new rule, that we want that rule added to the end of the chain, and that the chain we want to operate on is the INPUT chain.  -m conntrack: iptables has a set of core functionality, but also has a set of extensions or modules that provide extra capabilities. In this portion of the command, we're stating that we wish to have access to the functionality provided by the conntrack module. This module gives access to commands that can be used to make decisions based on the packet's relationship to previous connections.  --ctstate: This is one of the commands made available by calling the conntrack module. This command allows us to match packets based on how they are related to packets we've seen before.We pass it the value of ESTABLISHED to allow packets that are part of an existing connection. We pass it the value of RELATED to allow packets that are associated with an established connection. This is the portion of the rule that matches our current SSH session.  -j ACCEPT: This specifies the target of matching packets. Here, we tell iptables that packets that match the preceding criteria should be accepted and allowed through. We put this rule at the beginning because we want to make sure the connections we are already using are matched, accepted, and pulled out of the chain before reaching any DROP rules. We can see the changes if we list the rules:  sudo iptables –L Accept Other Necessary Connections We have told iptables to keep open any connections that are already open and to allow new connections related to those connections. However, we need to create some rules to establish when we want to accept new connections that don't meet those criteria. We want to keep two ports open specifically. We want to keep our SSH port open (we're going to assume in this guide that this is the default 22. If you've changed this in your SSH configuration, modify your value here). We are also going to assume that this
  • 5. N.T.A.LMini Project 5 computer is running a web server on the default port 80. If this is not the case for you, you don't have to add that rule. The two lines we're going to use to add these rules are:  sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT   sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT  As you can see, these are very similar to our first rule, but perhaps more simple. The new options are:  -p tcp: This option matches packets if the protocol being used is TCP. This is a connection-based protocol that will be used by most applications because it allows for reliable communication.  --dport: This option is available if the -p tcp flag is given. It gives a further requirement of matching the destination port for the matching packet. The first rule matches for TCP packets destined for port 22, while the second rule matches TCP traffic pointed towards port 80. There is one more accept rule that we need to ensure that our server can function correctly. Often, services on the computer communicate with each other by sending network packets to each other. They do this by utilizing a pseudo network interface called the loopback device, which directs traffic back to itself rather than to other computers. So if one service wants to communicate with another service that is listening for connections on port 4555, it can send a packet to port 4555 of the loopback device. We want this type of behavior to be allowed, because it is essential for the correct operation of many programs. The rule we need to add is this:  sudo iptables -I INPUT 1 -i lo -j ACCEPT  This looks a bit different than our other commands. Let's go over what it is doing:
  • 6. N.T.A.LMini Project 6  -I INPUT 1: The -I flag tells iptables to insert a rule. This is different than the - A flag which appends a rule to the end. The -I flag takes a chain and the rule position where you want to insert the new rule. In this case, we're adding this rule as the very first rule of the INPUT chain. This will bump the rest of the rules down. We want this at the top because it is fundamental and should not be affected by subsequent rules.  -i lo: This component of the rule matches if the interface that the packet is using is the "lo" interface. The "lo" interface is another name for the loopback device. This means that any packet using that interface to communicate (packets generated on our server, for our server) should be accepted. To see our current rules, we should use the -S flag. This is because the -L flag doesn't include some information, like the interface that a rule is tied to, which is an important part of the rule we just added:  sudo iptables –S Implementing a Drop Rule We now have four separate rules that explicitly accept packets based on certain criteria. However, our firewall currently is not blocking anything. If a packet enters the INPUT chain and doesn't match one of the four rules that we made, it is being passed to our default policy, which is to accept the packet anyways. We need to change this. There are two different ways that we can do this, with some pretty important differences. The first way we could do this is to modify the default policy of our INPUT chain. We can do this by typing:  sudo iptables -P INPUT DROP
  • 7. N.T.A.LMini Project 7  This will catch any packets that fall through our INPUT chain, and drop them. This is what we call a default drop policy. One of the implications of this type of a design is that it falls back on dropping packets if the rules are flushed. You may like your server to automatically drop all connections in the event that the rules are dumped. This would prevent your server from being left wide open. This also means that you can easily append rules to the bottom of the chain easily while still dropping packets as you'd like.If you changed the default policy for the INPUT chain above, you can set it back to follow along by typing:  sudo iptables -P INPUT ACCEPT  Now, you can add a rule to the bottom of the chain that will drop any remaining packets:  sudo iptables -A INPUT -j DROP  The result under normal operating conditions is exactly the same as a default drop policy. This rule works by matching every remaining packet that reaches it. This prevents a packet from ever dropping all of the way through the chain to reach the default policy. Basically, this is used to keep the default policy to accept traffic. That way, if there are any problems and the rules are flushed, you will still be able to access the machine over the network. This is a way of implementing a default action without altering the policy that will be applied to an empty chain. Of course, this also means that any rule that any additional rule that you wish to add to the end of the chain will have to be added before the drop rule. You can do this either by temporarily removing the drop rule:  sudo iptables -D INPUT -j DROP  sudo iptables -A INPUT new_rule_here  sudo iptables -A INPUT -j DROP  Or, you can insert rules that you need at the end of the chain (but prior to the drop) by specifying the line number. To insert a rule at line number 4, you could type:  sudo iptables -I INPUT 4 new_rule_here If you are having trouble knowing which line number each rule is, you can tell iptables to number the rules by typing:  sudo iptables -L --line-numbers
  • 8. N.T.A.LMini Project 8 Saving your Iptables Configuration By default, the rules that you add to iptables are ephemeral. This means that when you restart your server, your iptables rules will be gone. This is actually a feature for some user because it gives them an avenue to get back in if they have accidentally locked themselves out of the server. However, most users will want a way to automatically save the rules you have created and to load them when the server starts. There are a few ways to do this, but the easiest way is with the iptables- persistent package. You can download this from Ubuntu's default repositories:  sudo apt-get update  sudo apt-get install iptables-persistent During the installation, you will be asked if you would like to save your current rules to be automatically loaded. If you are happy with your current configuration (and you have tested your ability to create independent SSH connections, you can select to save your current rules.Once the installation is complete, you will have a new service called iptables-persistent that is configured to run at boot. This service will load in your rules and apply them when the server is started.
  • 13. N.T.A.LMini Project 13 Firewall Before applying firewall After applying firewall
  • 14. N.T.A.LMini Project 14 Conclusion Thus by using the Linux codes we are able to create our own firewall as per our needs. There are many other firewall utilities and some that may be easier, but iptables is a good learning tool, if only because it exposes some of the underlying netfilter structure and because it is present in so many systems. Reference 1.https://help.ubuntu.com/lts/serverguide/firewall.html 2. https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw- on-an-ubuntu-and-debian-cloud-server