Now we got that sorted out let's start with some safety measurements. Since we're about to do funny stuff with iptables and there's no console on the B3, we will want to be able to revert in case we lock ourselves out. Now the problem with the standard firewall script in the B3 is that at shutdown it will actually save whatever we did wrong and reenable that when booting. That's not what we want, so let's alter the bubba-firewall script first. Take whatever editor you favor (that would be nano for everyone under 60 years old) and open the file /etc/init.d/bubba-firewall. Find and comment out the iptables-save line by placing a hashtag (#) in front of it as shown below:
Code: Select all
stop|restart|force-reload)
log_action_begin_msg "Saving firewall"
# iptables-save > /etc/network/firewall.conf
log_action_end_msg $?
Code: Select all
apt-get install shorewall
You'll find find six files of interest here:
Zones:
Code: Select all
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
Interfaces:
Code: Select all
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc eth1 detect tcpflags,nosmurfs,routefilter,logmartians
Code: Select all
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp
loc br0 detect routeback
Policy:
Code: Select all
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
Code: Select all
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
loc $FW ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
Code: Select all
-A INPUT -i br0 -j ACCEPT