Differences

This shows you the differences between two versions of the page.

--- systems:media_server:secure_the_server:setup_a_firewall [2025/05/31 09:59] – peter
+++ systems:media_server:secure_the_server:setup_a_firewall [2025/05/31 11:34] (current) – peter
@@ Line 1: / Line 1: @@
 ====== Systems - Media Server - Secure the Server - Setup a Firewall ======
-====== Create a systemd service for the firewall ======
+====== Create a firewall-reset script ======
-Create a new systemd unit file, named **/etc/systemd/system/sharewiz-firewall.service**:
+<file bash /sharewiz/firewall/firewall-reset.sh>
+#!/bin/bash
+#
+# Resets all firewall rules
+echo "Stopping firewall and allowing everyone..."
+#
+# Modify the following settings as required:
+#
+IPTABLES=/sbin/iptables
+#
+# Reset the default policies in the filter table.
+#
+$IPTABLES -P INPUT ACCEPT
+$IPTABLES -P FORWARD ACCEPT
+$IPTABLES -P OUTPUT ACCEPT
+#
+# Reset the default policies in the nat table.
+#
+$IPTABLES -t nat -P PREROUTING ACCEPT
+$IPTABLES -t nat -P POSTROUTING ACCEPT
+$IPTABLES -t nat -P OUTPUT ACCEPT
+#
+# Reset the default policies in the mangle table.
+#
+$IPTABLES -t mangle -P PREROUTING ACCEPT
+$IPTABLES -t mangle -P POSTROUTING ACCEPT
+$IPTABLES -t mangle -P INPUT ACCEPT
+$IPTABLES -t mangle -P OUTPUT ACCEPT
+$IPTABLES -t mangle -P FORWARD ACCEPT
+#
+# Flush all the rules in the filter, nat and mangle tables.
+#
+$IPTABLES -F
+$IPTABLES -t nat -F
+$IPTABLES -t mangle -F
+#
+# Erase all chains that are not default in filter, nat and mangle tables.
+#
+$IPTABLES -X
+$IPTABLES -t nat -X
+$IPTABLES -t mangle -X
+</file>
+<WRAP info>
+**NOTE:** This resets all firewall rules.
+</WRAP>
+----
+====== Create a firewall-reset script ======
+<file bash /sharewiz/firewall/firewall.sh>
+</file>
+----
+===== Create a systemd service unit file for the firewall =====
+Create a file named **/etc/systemd/system/sharewiz-firewall.service**:
 <file bash /etc/systemd/system/sharewiz-firewall.service>
+[Unit]
+Description=Runs the firewall.
+[Service]
 [Unit]
 Description=Runs the firewall.
@@ Line 11: / Line 87: @@
 [Service]
 ExecStart=/sharewiz/firewall/firewall.sh
+ExecStop=/sharewiz/firewall/firewall-reset.sh
 Type=oneshot
 RemainAfterExit=yes
@@ Line 21: / Line 98: @@
 <WRAP info>
 **NOTE:**  Ensure that the script that is going to be run is executable.
+  * **ExecStart** - this is the script that is run when the service starts.
+  * **ExecStop** - this is the script that is run when the service stops.
 </WRAP>
 ----
-====== Reload and enable the firewall.service unit ======
+===== Reload and enable the firewall.service unit =====
 <code bash>
@@ Line 36: / Line 116: @@
 **NOTE:**  The **systemctl daemon-reload** command reloads all unit files, including the new unit file created for the firewall.
 </WRAP>
+----
+===== Check firewall status =====
+<code bash>
+sudo iptables -L INPUT -n
+</code>
+returns:
+<code>
+Chain INPUT (policy DROP)
+target     prot opt source               destination
+...
+lots of rules...
+</code>
+<WRAP info>
+**NOTE:**  This should display a lot of rules.
+</WRAP>
 ----