Ever wondered how to setup a firewall using Ubuntu Server edition? No? Then you’ll be pretty bored, so I suggest you stop reading now.
If you answered yes, keep going. For my purposes, I’ve used the webmin firewall section, mostly to avoid learning iptables, or even something like shorewall. This was written using version 9.10, although the process should be quite similar to other versions of Ubuntu.
The exact setup I’m going for here is a device that does NAT, and blocks all incoming connections that aren’t established or related. In another post, I’ll talk a bit about port forwarding, and some things to be aware of there. Both of the machines I’m using have eth1 as the outgoing interface, and eth0 as the internal connection (going to a switch, or a WAP, or another computer with a private network address).
You should already have your external and internal interfaces connected and configured, and the box you are setting up as the ‘router’ should be able to ping google.com, and any internal networked devices/computers.
The first thing that needs to happen, is that we need to enable ipv4 forwarding.
Login on the command line and edit the file /etc/sysctl.conf. Find where it says ‘to enable packet forwarding for IPv4’, and uncomment the line below it. Also enable the one for IPv6 if you need it. Save the file, then run this:
sysctl -p
Now we’re ready to install webmin from here. I usually use wget, dpkg, and then aptitude like so:
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.490_all.debaptitude install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perldpkg -i webmin_1.490_all.deb
You can then connect to webmin via https://yourserver:10000. Login with root, or an account that can sudo (like the one you created during the Ubuntu setup process).
Navigate to Networking->Linux Firewall
The first time, it will ask you to set the base rules, choose ‘Allow all traffic’ and Activate at Boot, then Setup Firewall. Then Apply Configuration on the next page. Don’t worry, we’ll lock it down a bit shortly.
Where it says Showing IPtable, there should be three options, the first one we are concerned with is Network Address Translation (nat).
We need one rule here, and it belongs under POSTROUTING. It should be set to Masquerade if output interface is eth1 (your external nic).
Apply the Configuration, and you should now be able to ping google.com from a computer behind the Ubuntu router.
If you’re still with me, now we’re going to lock things down a bit. Go back to the Packet filtering IPtable, and create these rules under INPUT:
Accept if input interface is eth0 (your internal nic)
Accept if input interface is lo (local interface)
Accept if input interface is eth1 (external) and state of connection is ESTABLISHED or RELATED
Be absolutely sure you have your internal and external interface straight before this next step. As a safety net, be sure you can either access the console directly, or have an ssh session already established, just in case. Then set Drop as the default action for INPUT, and press Apply Configuration.
If you did it right, you can still ping google.com from anywhere on your network and you’re done. If you did it wrong and can’t access the router anymore, hopefully you have that ssh session still open. Open /etc/iptables.up.rules with nano or vim and change :INPUT DROP [0:0] to :INPUT ACCEPT [0:0] under the *filter section. Then run this: iptables-apply /etc/iptables.up.rules and go back and figure out what you did wrong above. If you would like to continue and do port fowarding, see Forwarding.