Setting up Arno’s Iptables in Ubuntu 20.04 LTS Server
In Internet world all services listen and worked on a port. Without specifying a correct port a service might not accessible from outer world. For a Sysadmin/SRE/DevOps it’s always a main task to check and close unused port in an Instance/Server.
There are few most important ports everyone is aware of like 80/TCP for HTTP, 443/TCP for HTTPS, 3306/TCP for MySQL etc.
Taking a real world scenario suppose a MySQL port is accessible publicly due to the assigned security group and/or NACL rule. In that scenario we need to use the Iptables to block the public access.
In old days System admin use the iptables command to filter out the request. The main problem with iptables is that it’s little complex and not that user friendly.
To overcome this problem Arno van Amersfoort created a single & multi-homed firewall script with DSL/ADSL support. This program is a free software and available under GNU General Public License agreement. It makes a System Admin’s life very easy to manage firewall rules.
In this document I will show how to install and use “Arno’s iptables” in an Ubuntu 20.04 LTS which is hosted on AWS. To demonstrate I launch an EC2 instance in the default vpc and opened all ports in Security Group rule. That means the instance is open from anywhere i.e. 0.0.0.0/0.
After the instance launched successfully let’s update the packages and install “Arno's iptables”.
# apt-get update
# apt-get install arno-iptables-firewall
Press <Yes> to continue.
Now, you will see something like below image. Select OK to continue.
In the next screen it will ask the user to open which TCP ports. For our demo I am opening port 22, 80, 443, 3306.
After you press <Ok> it will ask to specify which UDP ports needs to be opened. If there is no UDP port requirement then leave it blank.
Now it will ask to specify which network interface we need to exclude this rule. That means it will allow all connection on that network interface. In my system the external NIC is eth0 so I will keep that place.
If there is any internal interface then put the interface name in the next screen or else keep that blank.
In the next screen it will ask the internal subnet range which allow the instance reachable on all ports if the request made from an instance in that subnet. This will add an extra layer of security. I will put my subnet range in that field.
After we pass all the required values it will ask to restart the firewall to take effect. Press <Yes> to do apply immediately.
After restarting the firewall to apply the changes test the functionality but accessing a port which is not whitelisted. If everything was correct then the connection won’t be established.
After the preliminary setup done if you want to modify anything then you can run the below command in the terminal.
# dpkg-reconfigure -plow arno-iptables-firewallTo do a small change instead of spending much time in the above command you can open the file and do the changes. After the changes are made restart the service.
# vim /etc/arno-iptables-firewall/conf.d/00debconf.conf
# /etc/init.d/arno-iptables-firewall restartTo read more about “Arno’s Iptables” visit it’s official page https://rocky.eld.leidenuniv.nl/html/.
