How to keep your firewall rules clean
Suppose you are relatively new to managing your virtual private server. In that case, you should know that firewall is essential, and it is imperative that you at least understand the basics of using your firewall to protect your server. If your server runs ubuntu, ufw is a nifty little wrapper for iptables, and it eases the process of adding new rules for both ipv4 and ipv6 connections. But there are a few issues with getting things just right at times. Too may tutorials might confuse a newbie. Let’s say you followed the boatload of tutorials from sites like digital ocean, linode or vultr and got confused with what is easy and safe for you to maintain; you will probably need this tutorial.
If you started using iptables and then you felt it is not worth your time to be strolling around online for adding every single rule, ufw would be best possible bet considering its simplicity. But if you installed ufw after using iptables, then your firewall rules might not be clean, since the old rules exist in iptables-persistent and your new rules won’t take effect. For people who run into this issue, use the following script to get a clean set of rules. Once you run the following script, your iptables rules will be back to what it was during a fresh installation of the operating system. You must only run the script with sudo or root privileges.
#!/bin/bash
#######################################################
# #
# Script to delete all iptables rules #
# @author : vijai@vijaikumar.in #
# #
#######################################################**
# Make sure only root can run our script
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as sudo or root only!" 1>&2
exit 1
fi
if which ip6tables >/dev/null; then
echo "ip6tables does exist!!"
ip6tables --policy INPUT ACCEPT;
ip6tables --policy OUTPUT ACCEPT;
ip6tables --policy FORWARD ACCEPT;
ip6tables -Z; # zero counters
ip6tables -F; # flush (delete) rules
ip6tables -X; # delete all extra chains
echo "i cleared all the ip6tables rules for you :D"
else
echo "Sorry ip6tables doesn't exist!!"
fi
if which iptables >/dev/null; then
echo "iptables does exist!!"
iptables --policy INPUT ACCEPT;
iptables --policy OUTPUT ACCEPT;
iptables --policy FORWARD ACCEPT;
iptables -Z; # zero counters
iptables -F; # flush (delete) rules
iptables -X; # delete all extra chains
echo "i cleared all the iptables rules for you :D"
else
echo "Sorry iptables doesn't exist!!"
fi
You can download the script from this link ipclean.sh and make sure you execute it as follows.
wget https://goo.gl/o1x5Wz -O ipclean.sh
chmod +x ipclean.sh
sudo ./ipclean.sh
Now you will have a clean slate of iptables rules, and you can start configuring ufw as you wish. Another common issue I found online and affected other people was ufw not autostarting on reboot. This can be adjusted with a simple fix. ufw comes with a simple script called ufw-init, and it sits in the /lib/ufw/ufw-init and that takes care of starting the firewall, once you throw the sudo ufw start command. But this does not stay persistent. The same reason why you install iptables-persistent for keeping your iptables rules persistent. To make sure that you get your ufw started on reboot, execute the following command, and the rule will be appended.
echo ‘/lib/ufw/ufw-init start’ | sudo tee — append /etc/init.d/rc.local > /dev/null
Now ufw will start on boot without any issues, and you can check that with sudo ufw status after reboot. If you have configured all the rules correctly, you should see the rules without any issues. ufw comes with a simple script called ufw-init, and it sits in the /lib/ufw/ufw-init and that takes care of starting the firewall, once you throw the sudo ufw start command. But this does not stay persistent. The same reason why you install iptables-persistent for keeping your iptables rules persistent. To make sure that you get your ufw started on reboot, execute the following command, and the rule will be appended.
echo ‘/lib/ufw/ufw-init start’ | sudo tee — append /etc/init.d/rc.local > /dev/null
Now ufw will start on boot without any issues, and you can check that with sudo ufw status after reboot. If you have configured all the rules correctly, you should see the rules without any issues. If you get any weird errors, feel free to comment on this post.
No Comments Yet