Firewall
This page is an extension of the firewall overview page of the user's guide.
It describes with more details how to manage and configure the firewall:
- Disable firewall over reboot
- Modify the firewall rules and persist the rules
We will not describe how iptables and ip6tables work since there is a lot of documentation available on internet but rather describe how they are integrated in the LORIX OS and how they can be managed from a system point of view.
Enable and disable firewall (persistent)
As described in the user's guide, the firewall service can be started and stopped for the current session.
Starting and stopping a service is however not really considered as "enabling/disabling" the service since it's just a temporary state.
On next reboot, the service will start as usual even if it has been stopped during the last session.
Starting or stopping a service doesn't make this action persistent over a reboot.
If you want to learn more about the "start/stop vs enable/disable" concept, please consult the more advanced service management documentation.
As a shortcut, the following section describes how to enable and disable the firewall over reboot, as a persistent state.
Enable the firewall at boot
The firewall is already configured to run at boot by default on the LORIX OS but if you have disabled this service, you can enable it again using the following command:
Enable the firewall at boot
Result
Enable the firewall at boot
Result
Enable is not start
Please note that enabling the service (start at boot) will not make it immediately start. You still need to run the command sudo rc-service <service> start
.
Disable the firewall at boot
You can avoid starting the firewall at boot with the following command:
Disable the firewall at boot
Result
Disable the firewall at boot
Result
Disable is not stop
Please note that disabling the service (no start at boot) will not make it immediately stop. You still need to run the command sudo rc-service <service> stop
.
Configure the firewall
Workflow and data state
As explained previously, the ip[6]tables rules are stored in the files /etc/iptables/ip[6]tables.rules
. When the firewall services are started, the iptables and ip6tables applications are loaded with the rules from these files.
There is then two ways of modifying the rules:
- Use directly iptables and ip6tables to modify the rules in memory and save the result in the files
This is the preferred way, the syntax follows documentation and rules are applied directly - Edit directly the rule files and restart the services to load the new rules
This is not the preferred way since the rule files use a specific syntax which is less documented
Modify the rules in place with iptables (preferred way)
Ensure firewall is running
To modify the rules using ip[6]tables, the corresponding service need to run first of all, if you stopped it, ensure it's running:
Enable the firewall
Enable the firewall
Edit the rules
You can then use standard iptables and ip6tables commands using available documentation on internet:
- Base documentation of the command: https://linux.die.net/man/8/iptables
- iptables How-to from Ubuntu: https://help.ubuntu.com/community/IptablesHowTo
Be careful when modifying the rules since they are immediately applied and some of them could stop connections like SSH.
Any firewall modification should always be done using the USB access or at least done when this access is possible.
For example, the following command display the actual running rules:
Show current firewall rules
Result
Show current firewall rules
Result
Check the iptables documentation for the available commands for modifications.
E.g. to delete a rule, use (where 12 is the num of the rule from the previous output):
Save the rules
Once you have done your modifications in the running rules, you can save them in the persistent rule files:
Save the rules
Result
Save the rules
Result
From there, the rules have been saved to the corresponding file and will be reloaded each time the firewall service is started.
No need to reload the service since the rules are already loaded in the firewall.
Modify the rule configuration files
Service state
The service doesn't need to be started or stopped at this point since we will only edit the rule file and reload it into the running service.
Modify the rule file
You can edit the rule files using your favorite editor:
Edit the rule file
Default file content
Edit the rule file
Default file content
As you can see, the content of the file is difficult to read and most of all, if you insert an error inside, ip[6]tables will not be able to load it:
Wrong format error
Reload the rules into the firewall
The rules are persisted into the rule files but not loaded into the running application. To load them, you need to (re)start the firewall service:
Load the rules
Result
Load the rules
Result