Persistent firewall using iptables

User avatar
scole of TSBT
Boinc Major General
Boinc Major General
Posts: 5980
Joined: Mon Feb 03, 2014 2:38 pm
Location: Goldsboro, (Eastern) North Carolina, USA

#1 Persistent firewall using iptables

Post by scole of TSBT »

1. Save the file ip_tables_rules.txt as /home/<username>/iptables_rules.txt
It contains a list of iptables directives to block access to various Boinc projects. They are currently commented/disabled with # char

2. Create a simple script to edit the rules and reload the rules. I created a script file named set-fw (short for set-firewall), which will load the iptables_rules.txt file in the nano editor. When you exit the editor, it will reload the iptables_rules.txt and echo the current rules. Here is the script...
nano /home/<username>/iptables_rules.txt
iptables-restore < /home/<username>/iptables_rules.txt
iptables -L

3. Run the script...
sudo ./set-fw
(you might need to run "sudo chmod 777 set-fw" to set permissions to allow you execute it)
To block access to project, remove the # char from the beginning of the line.

4. Exit the editor, saving the file in the process. You should see the current rules displayed, like this...
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 128.95.160.0/24 anywhere

5. In order to make these setting persistent, in case the system reboots, modify the network configuration to load the iptables_rules.txt any time the interface is started, such as a reboot. Add this line to file /etc/network/interfaces...
pre-up iptables-restore < /home/<username>/iptables_rules.txt

The interfaces file should look something like this...
auto lo
iface lo inet loopback
pre-up iptables-restore < /home/<username>/iptables_rules.txt

All I have to do is either add a line for a new project, or comment out a line if I no longer want it blocked. To comment the line, just put a # at the beginning of the line.

Again, if there's any better way, let me know.
Image

Return to “Linux”