Firewall Ubuntu

Okay.., lets just start for the first configurations.

1. Siapin…, secangkir kopi + sebungkus rokok (buat yg ngerokok pastinya..,)
Install iptables di server ubuntu anda

Commandnya:  
apt-get install iptables
’n klo dah beres bisa kita lanjut ke tahap kedua ...

2. Configure script bin/sh firewall
Disini saya membuat sebuah script !/bin/sh dimana nantinya akan berfungsi sebagai pengontrol iptables (menghidup matikan firewall) pertama-tama…,

cd /sbin

nano firewall <== nama file script yg saya buat masukan configure script ini :

IPTABLES_SAVE="/etc/default/iptables-rules"
SAVE_RESTORE_OPTIONS="-c"
SAVE_ON_STOP="yes"

checkrules() {
if [ ! -f ${IPTABLES_SAVE} ]
then
echo "Tidak Bisa start iptables. Silahkan Buat Rule Setting Iptables"
echo ""/etc/init.d/iptables save""
return 1
fi
}

save() {
echo "Saving iptables state "
/sbin/iptables-save ${SAVE_RESTORE_OPTIONS} > ${IPTABLES_SAVE}
}

start(){
checkrules || return 1
echo "Loading and starting firewall "
echo -n "Firewall Start Protect Your Server"
start-stop-daemon --start --quiet --exec /sbin/iptables-restore -- ${SAVE_RESTORE_OPTIONS} < ${IPTABLES_SAVE} } case "$1" in save) save echo "." ;; start) start echo "." ;; stop) if [ "${SAVE_ON_STOP}" = "yes" ]; then save || exit 1 fi echo -n "Peringatan firewall Berhenti" for a in `cat /proc/net/ip_tables_names`; do
/sbin/iptables -F -t $a
/sbin/iptables -X -t $a

if [ $a == nat ]; then
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
elif [ $a == mangle ]; then
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P INPUT ACCEPT
/sbin/iptables -t mangle -P FORWARD ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
elif [ $a == filter ]; then
/sbin/iptables -t filter -P INPUT ACCEPT
/sbin/iptables -t filter -P FORWARD ACCEPT
/sbin/iptables -t filter -P OUTPUT ACCEPT
fi
done
start-stop-daemon --stop --quiet --pidfile /var/run/iptables.pid --exec /sbin/iptables
echo "."
;;

restart)
echo -n "Flushing firewall"
for a in `cat /proc/net/ip_tables_names`; do
/sbin/iptables -F -t $a
/sbin/iptables -X -t $a
done;
start
echo "."
;;
*)
echo "Gunakan: firewall {start|stop|restart|save}" >&2
exit 1
;;
esac

exit 0

Perhatikan (IPTABLES_SAVE="/etc/default/iptables-rules) ini merupakan script default yg akan menyimpan rule iptables yg nantinya kita buat.
Tahap kedua udah lese now go to last sesion.

Ruleset iptables
a. Cara membuat rule iptables kita
anda dapat menggunakan perintah : sudo iptables -A INPUT ...
setelah memasukan rule iptables jangan lupa ketik perintah : firewall save (bertujuan untuk menyimpan rule iptables)

b. Cara kedua yg bisa kita pakai juga ialah dengan mengedit iptables-rules yg terdapat pada directory /etc/default/
contoh rule iptables ketik : nano /etc/default/

# Generated by iptables-save v1.3.3 on Fri Jul 6 15:33:21 2007
*mangle
:PREROUTING ACCEPT [774:59782]
:INPUT ACCEPT [774:59782]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [477:81340]
:POSTROUTING ACCEPT [477:81340]
COMMIT
# Completed on Fri Jul 6 15:33:21 2007
# Generated by iptables-save v1.3.3 on Fri Jul 6 15:33:21 2007
*filter
:INPUT ACCEPT [596:44876]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [477:81340]
[178:14906] -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
[0:0] -A INPUT -p udp -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 110 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A INPUT -p tcp -m tcp --dport 465 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A INPUT -p tcp -m tcp --dport 993 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A INPUT -p tcp -m tcp --dport 995 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A INPUT -p tcp -m tcp --dport 143 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 3306 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A INPUT -p tcp -m tcp --dport 8080 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Jul 6 15:33:21 2007
# Generated by iptables-save v1.3.3 on Fri Jul 6 15:33:21 2007
*nat
:PREROUTING ACCEPT [184:15226]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Fri Jul 6 15:33:21 2007

Nah kita bisa mengedit dan menambahkan rule yg kita mau di sana finis move :
firewal start
Loading and starting firewall
Firewall Start Protect Your Server

Selesai sudah Untuk memeriksa rule list apa saja yg berjalan kita tinggal mengetik :  
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp echo-request
DROP udp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
REJECT tcp -- anywhere anywhere tcp dpt:pop3 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:auth reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:ssmtp reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:imaps reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:pop3s reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:imap2 reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:www
REJECT tcp -- anywhere anywhere tcp dpt:mysql reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:webcache reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

That’s all folks…, !!!

Best Regard :

to LetJen ‘n SecurityOnline Community