Simple basic firewall to start with


Find out how to set up a basic firewall within few minutes without iptables knowledge just with a great tool called FireHOL...

What is FireHOL

FireHol is a tool that generates iptables rules from its configuration files. Configuration entries are described with easy-to-learn yet powerful syntax.

How to install?

I assume that you are a Debian 10 user :) If you use other Linux distribution - you need to adjust this tutorial to the specifics of your distribution.

To use this every admin must-have tool install it whit this command:

sudo apt-get install firehol

Configure a basic firewall

I will try to read in your mind: what those it means "basic"? So for me - a basic firewall is such one that will block anything from inbound traffic except ping and ssh. The first one (ping) is for me to check if a server is alive. The second one (ssh) is to allow remote administration.

Having the above explained we can start by editing Firehol configuration:

sudo vim /etc/firehol/firehol.conf

It should look like this (you can skip comments - I placed them just to explain particular commands):

version 6

# apply to any network interface your server have
interface any world

    # use "drop" as the default action for packets
    policy drop

    # protect against the bad, invalid, or fragmented packets
    protection strong

    # allow outgoing traffic on any port
    client all accept

    # allow only ping and ssh (on default 22 port) as inbound traffic
    server "icmp ssh" accept

As you can see no more than 6 lines of configuration are needed to create a basic firewall.

Now make it alive. Please use try method as it gives you 30 seconds to check if you didn't cut off yourself from the server. To be sure you still have access to the server - connect to it via ssh in a new session.

sudo firehol nofast try
# First press enter to start firewall. After you check (TWICE), if you still can access the server type 'commit'

Congratulations! Your firewall cuts you off - just kidding.

Blacklist malicious IPs

Check out this: IpList from FireHOL. Guys from FireHOL are the best - they even provide us an aggregated list of shitty IP addresses to cut off. So why not use this to add a little bit of security to the server.

Again start with configuration:

sudo vim /etc/firehol/firehol.conf

This time our file should look something like this:

version 6

# creates ipset for blacklisted IPs
ipv4 ipset create ipv4-blacklisted-ips hash:ip

# creates ipset for blacklisted networks
ipv4 ipset create ipv4-blacklisted-nets hash:net

# after reboot FireHOL should propagate both list with list stored in file "/etc/firehol/firehol_level1.netset"
ipv4 ipset addfile ipv4-blacklisted-ips ip firehol_level1.netset
ipv4 ipset addfile ipv4-blacklisted-nets net firehol_level1.netset

# blacklist any traffic from blacklisted IPs and networks
ipv4 blacklist full ipset:ipv4-blacklisted-ips ipset:ipv4-blacklisted-nets

interface any world
    policy drop
    protection strong

    client all accept
    server "icmp ssh" accept

It is time to download the list:

sudo wget -O /etc/firehol/firehol_level1.netset "https://iplists.firehol.org/files/firehol_level1.netset"

And you are ready to give it a try:

# Remember about checking if you did not cut off yourself before commit!
sudo firehol nofast try

And it is done!

Automate blacklisting

You probably find out that the above-mentioned list is updated very often. To stay tuned and up to date, you should automatically update your firewall. We will add a cron job to do this.

First of all, create a script that will update the list:

vim /etc/firehol/blacklisted.sh

It should look like this:

#!/bin/bash

# create temp directory
tmp=$(mktemp) || exit 1

# download current list to this temp directory
wget -O $tmp "https://iplists.firehol.org/files/firehol_level1.netset"

# in case something goes wrong - you will be informed about it and the temp folder will be removed
if [ $? -ne 0 -o ! -s $tmp ]
then
    rm $tmp
    echo >&2 "Cannot download blacklist."
    exit 1
fi

# update ipsets with FireHOL dedicated command
/usr/sbin/firehol ipset_update_from_file ipv4-blacklisted-ips ips $tmp
/usr/sbin/firehol ipset_update_from_file ipv4-blacklisted-nets nets $tmp

# clean up
rm $tmp

Now make this script executable and check if it is working:

# add execution rights for the file owner
sudo chmod o+x /etc/firehol/blacklisted.sh

# execute script
sudo ./etc/firehol/blacklisted.sh

Is it working? Great!

The last thing you need to do is to execute this script periodically with Cron.

sudo vim /etc/cron.d/blacklisted

And this is the content:

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# below can be translated in to "execute blacklisted.sh every 15 minutes"
*/15 * * * * root /etc/firehol/blacklisted.sh

Restart cron:

sudo systemctl restart cron

Ok. You have your basic firewall with automatic blacklisting applied!

Start, stop, and try

# you can start firewall just by:
sudo firehol start

# you can also stop it:
sudo firehol stop

# and if you playing with a new configuration you can try it for 30 seconds
sudo firehol try

This tutorial is just the beginning of our journey with FireHOL and firewalls. It is a starting point and will be supplemented in other tutorials - whenever firewall modification will be needed.

Stay secured :)

Not enough?


Would you like me to build and conduct training tailored to your needs? I'm waiting for your call or message.

address icon

WeBee.Online Adam Wojciechowski
ul. Władysława Łokietka 5/2
70-256 Szczecin, Poland