Iptables: How-to Share your internet connection — page 4

3 minute read

4. Using iptables’script

4.1. From the command line

One way to apply the rules we define, is simply to run the script from the command line like:

sudo sh /path/to/firewall-script.sh

but this has the bad effect of not being restore on reboot :s, but still, this will be of great help while tweaking up your firewall.

4.2. Using /etc/rc.local

/etc/rc.local is a custom file where you can add scripts to be executed at the end of each multiuser runlevel.

By default, this file only contain exit 0.

In order to have your iptables firewall script executed on reboot, simply add the path to your firewall script before exit 0.

Copy your firewall script file to /etc/firewall-script.sh for instance. Then make it executable:

sudo chmod 700 /etc/firewall-script.sh

Then edit /etc/rc.local and add /etc/firewall-script.sh before exit 0

Next time you are going to reboot, this script is going to be executed and therefore, your firewall set up restored.

4.3. Using /etc/network/if-up.d/ directory

This one is a bit more tricky.

Once you are done with setting up your firewall script, you will save it to the iptables format by trigerring:

sudo sh /path/to/firewall/script.sh
sudo iptables-save > /etc/firewall-iptables.conf

Now, open and edit /etc/network/if-up.d/iptables and make it look like:

#!/bin/sh
iptables-restore < /etc/firewall-iptables.conf

Then make it executable:

sudo chmod +x /etc/network/if-up.d/iptables

Finally, we need a way to set up /proc/sys/net/ipv4/ip_forward to 1. This can be achieved through /etc/sysctl.conf.

Simply add the following entry if not already there:

net.ipv4.ip_forward=1

which will set /proc/sys/net/ipv4/ip_forward to 1 next time you reboot.

We could have also used /etc/firewall-script.sh instead of the iptables-restore trick, but this way, you can see another way to do it

Reboot, your firewall should be up again :smile:

4.4. Once upon a time

Debian used to have this great /etc/init.d/iptables init script which allowed you to restore iptables settings on boot up, stop your firewall …

This script is now gone… so we have got to do it by ourself now :frowning:

4.5. Rescue script

A handy script to have around is a script that can erase all chains and rules in case you are getting lost with your firewall breakages. The following script will clear up all rules and reset all chain so your firewall will be inactive. I suggest you copy it and keep it somewhere close to you in case of emergency.

#!/bin/bash
IPT='/sbin/iptables'

for a in `cat /proc/net/ip_tables_names`; do
    ${IPT} -F -t $a
    ${IPT} -X -t $a

    if [ $a = nat ]; then
        ${IPT} -t nat -P PREROUTING ACCEPT
        ${IPT} -t nat -P POSTROUTING ACCEPT
        ${IPT} -t nat -P OUTPUT ACCEPT
    elif [ $a = mangle ]; then
        ${IPT} -t mangle -P PREROUTING ACCEPT
        ${IPT} -t mangle -P INPUT ACCEPT
        ${IPT} -t mangle -P FORWARD ACCEPT
        ${IPT} -t mangle -P OUTPUT ACCEPT
        ${IPT} -t mangle -P POSTROUTING ACCEPT
    elif [ $a = filter ]; then
        ${IPT} -t filter -P INPUT ACCEPT
        ${IPT} -t filter -P FORWARD ACCEPT
        ${IPT} -t filter -P OUTPUT ACCEPT
    fi
done

5. Conclusion

This tutorial covered iptables in order to set up a linux firewall which will share your internet connection amongst computer from your local network.

By explaining iptables basis, you should now be able to improve your script so you can allow or disallow specific types of traffic.

This is not the most secure set up though. Best practice would be to set up a policy which disallow all traffic by default and then only allow the traffic you believe that should be permitted.

Finally we went through different ways of recovering iptables setting on reboot.

Hope this helps and will give you enough basis to customize your firewall.