What is FireHOL
FireHol is a tool that generates iptables rules from its configuration files. Configuration entries are described with easy-to-learn yet powerful syntax.
How to install?
I assume that you are a Debian 10 user :) If you use other Linux distribution - you need to adjust this tutorial to the specifics of your distribution.
To use this every admin must-have tool install it whit this command:
sudo apt-get install firehol
Configure a basic firewall
I will try to read in your mind: what those it means "basic"? So for me - a basic firewall is such one that will block anything from inbound traffic except ping and ssh. The first one (ping) is for me to check if a server is alive. The second one (ssh) is to allow remote administration.
Having the above explained we can start by editing Firehol configuration:
sudo vim /etc/firehol/firehol.conf
It should look like this (you can skip comments - I placed them just to explain particular commands):
version 6 # apply to any network interface your server have interface any world # use "drop" as the default action for packets policy drop # protect against the bad, invalid, or fragmented packets protection strong # allow outgoing traffic on any port client all accept # allow only ping and ssh (on default 22 port) as inbound traffic server "icmp ssh" accept
As you can see no more than 6 lines of configuration are needed to create a basic firewall.
Now make it alive. Please use try method as it gives you 30 seconds to check if you didn't cut off yourself from the server. To be sure you still have access to the server - connect to it via ssh in a new session.
sudo firehol nofast try # First press enter to start firewall. After you check (TWICE), if you still can access the server type 'commit'
Congratulations! Your firewall cuts you off - just kidding.
Blacklist malicious IPs
Check out this: IpList from FireHOL. Guys from FireHOL are the best - they even provide us an aggregated list of shitty IP addresses to cut off. So why not use this to add a little bit of security to the server.
Again start with configuration:
sudo vim /etc/firehol/firehol.conf
This time our file should look something like this:
version 6 # creates ipset for blacklisted IPs ipv4 ipset create ipv4-blacklisted-ips hash:ip # creates ipset for blacklisted networks ipv4 ipset create ipv4-blacklisted-nets hash:net # after reboot FireHOL should propagate both list with list stored in file "/etc/firehol/firehol_level1.netset" ipv4 ipset addfile ipv4-blacklisted-ips ip firehol_level1.netset ipv4 ipset addfile ipv4-blacklisted-nets net firehol_level1.netset # blacklist any traffic from blacklisted IPs and networks ipv4 blacklist full ipset:ipv4-blacklisted-ips ipset:ipv4-blacklisted-nets interface any world policy drop protection strong client all accept server "icmp ssh" accept
It is time to download the list:
sudo wget -O /etc/firehol/firehol_level1.netset "https://iplists.firehol.org/files/firehol_level1.netset"
And you are ready to give it a try:
# Remember about checking if you did not cut off yourself before commit! sudo firehol nofast try
And it is done!
You probably find out that the above-mentioned list is updated very often. To stay tuned and up to date, you should automatically update your firewall. We will add a cron job to do this.
First of all, create a script that will update the list:
It should look like this:
#!/bin/bash # create temp directory tmp=$(mktemp) || exit 1 # download current list to this temp directory wget -O $tmp "https://iplists.firehol.org/files/firehol_level1.netset" # in case something goes wrong - you will be informed about it and the temp folder will be removed if [ $? -ne 0 -o ! -s $tmp ] then rm $tmp echo >&2 "Cannot download blacklist." exit 1 fi # update ipsets with FireHOL dedicated command /usr/sbin/firehol ipset_update_from_file ipv4-blacklisted-ips ips $tmp /usr/sbin/firehol ipset_update_from_file ipv4-blacklisted-nets nets $tmp # clean up rm $tmp
Now make this script executable and check if it is working:
# add execution rights for the file owner sudo chmod o+x /etc/firehol/blacklisted.sh # execute script sudo ./etc/firehol/blacklisted.sh
Is it working? Great!
The last thing you need to do is to execute this script periodically with Cron.
sudo vim /etc/cron.d/blacklisted
And this is the content:
SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # below can be translated in to "execute blacklisted.sh every 15 minutes" */15 * * * * root /etc/firehol/blacklisted.sh
sudo systemctl restart cron
Ok. You have your basic firewall with automatic blacklisting applied!
Start, stop, and try
# you can start firewall just by: sudo firehol start # you can also stop it: sudo firehol stop # and if you playing with a new configuration you can try it for 30 seconds sudo firehol try
This tutorial is just the beginning of our journey with FireHOL and firewalls. It is a starting point and will be supplemented in other tutorials - whenever firewall modification will be needed.
Stay secured :)