systems:media_server:secure_the_server:setup_a_firewall
Table of Contents
Systems - Media Server - Secure the Server - Setup a Firewall
Create a firewall-reset script
- /sharewiz/firewall/firewall-reset.sh
#!/bin/bash # # Resets all firewall rules echo "Stopping firewall and allowing everyone..." # # Modify the following settings as required: # IPTABLES=/sbin/iptables # # Reset the default policies in the filter table. # $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT # # Reset the default policies in the nat table. # $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # # Reset the default policies in the mangle table. # $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P POSTROUTING ACCEPT $IPTABLES -t mangle -P INPUT ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT $IPTABLES -t mangle -P FORWARD ACCEPT # # Flush all the rules in the filter, nat and mangle tables. # $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F # # Erase all chains that are not default in filter, nat and mangle tables. # $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X
NOTE: This resets all firewall rules.
Create a firewall-reset script
Create a systemd service unit file for the firewall
Create a file named /etc/systemd/system/sharewiz-firewall.service:
- /etc/systemd/system/sharewiz-firewall.service
[Unit] Description=Runs the firewall. [Service] [Unit] Description=Runs the firewall. [Service] ExecStart=/sharewiz/firewall/firewall.sh ExecStop=/sharewiz/firewall/firewall-reset.sh Type=oneshot RemainAfterExit=yes [Install] #WantedBy=multi-user.target WantedBy=default.target
NOTE: Ensure that the script that is going to be run is executable.
- ExecStart - this is the script that is run when the service starts.
- ExecStop - this is the script that is run when the service stops.
Reload and enable the firewall.service unit
sudo chmod 644 /etc/systemd/system/sharewiz-firewall.service sudo systemctl daemon-reload sudo systemctl enable sharewiz-firewall.service
NOTE: The systemctl daemon-reload command reloads all unit files, including the new unit file created for the firewall.
Check firewall status
sudo iptables -L INPUT -n
returns:
Chain INPUT (policy DROP) target prot opt source destination ... lots of rules...
NOTE: This should display a lot of rules.
References
systems/media_server/secure_the_server/setup_a_firewall.txt · Last modified: 2025/05/31 11:34 by peter