Fork me on GitHub
Vijai Kumar S
A Space to share my views on World, Science and People

How to keep your firewall rules clean

If you are relatively new to managing your own virtual private server, you should know that firewall is very important and it is essential that you atleast understand the basics of using your firewall to protect your server. If your server runs ubuntu, ufw is a nifty little wrapper for iptables and it really eases the process of adding new rules for both ipv4 and ipv6 connections. But there are a few issues with getting things just right at times. In the past, lack of tutorials might have been an issue but these days there are too many tutorials which only leads a new user to confusion. Let's say you followed the boatload of tutorials from sites like digital ocean, linode or vultr and got confused with what really is easy and safe for you to maintain, you will probably need this tutorial.

If you started using iptables and then you felt it is not worth your time to be strolling around online for adding every single rule, ufw would be best possible bet considering its simplicity. But if you installed ufw after using iptables, then your firewall rules might not be clean, since the old rules exist in iptables-persistent and your new rules won't take effect. For people who run into this issue, use the following script to get a clean set of rules. Once you run the following script, your iptables rules will be back to what it was during a fresh installation of the operating system. You must only run the script with sudo or root privileges.

#!/bin/bash
#######################################################
#                                                     #
#        Script to delete all iptables rules          #
#           @author : vijai@vijaikumar.in             #
#                                                     #
#######################################################


# Make sure only root can run our script
if [[ $EUID -ne 0 ]]; then  
   echo "This script must be run as sudo or root only!" 1>&2
   exit 1
fi

if which ip6tables >/dev/null; then  
    echo "ip6tables does exist!!"
    ip6tables --policy INPUT   ACCEPT;
    ip6tables --policy OUTPUT  ACCEPT;
    ip6tables --policy FORWARD ACCEPT;
    ip6tables -Z; # zero counters
    ip6tables -F; # flush (delete) rules
    ip6tables -X; # delete all extra chains
    echo "i cleared all the ip6tables rules for you :D"
else  
    echo "Sorry ip6tables doesn't exist!!"
fi

if which iptables >/dev/null; then  
    echo "iptables does exist!!"
    iptables --policy INPUT   ACCEPT;
    iptables --policy OUTPUT  ACCEPT;
    iptables --policy FORWARD ACCEPT;
    iptables -Z; # zero counters
    iptables -F; # flush (delete) rules
    iptables -X; # delete all extra chains
    echo "i cleared all the iptables rules for you :D"
else  
    echo "Sorry iptables doesn't exist!!"
fi  

You can download the script from this link ipclean.sh and make sure you execute it as follows.

wget https://goo.gl/o1x5Wz -O ipclean.sh  
chmod +x ipclean.sh  
sudo ./ipclean.sh  

Now you will have a clean slate of iptables rules and you can start configuring ufw as you wish. Another common issue i found online and affected other people was ufw not autostarting on reboot. This can be adjusted with a simple fix. ufw comes with a simple script called ufw-init and it sits in the /lib/ufw/ufw-init and that takes care of starting the firewall, once you throw the sudo ufw start command. But this does not stay persistent. The same reason why you install iptables-persistent for keeping your iptables rules persistent. To make sure that you get your ufw started on reboot, just execute the following command and the rule will be appended.

echo '/lib/ufw/ufw-init start' | sudo tee --append /etc/init.d/rc.local > /dev/null  

Now ufw will start on boot without any issues and you can check that with sudo ufw status after reboot. If you have configured all the rules correctly, you should see the rules without any issues. If you get any weird errors, feel free to comment on this post.

comments powered by Disqus
subscribe