1 00:00:00,05 --> 00:00:03,05 - Next, we'll change the Netfilter rules 2 00:00:03,05 --> 00:00:07,01 on our Ubuntu router host to finish our configuration 3 00:00:07,01 --> 00:00:10,03 for forwarding packets between the internet 4 00:00:10,03 --> 00:00:12,09 and the Ubuntu local host. 5 00:00:12,09 --> 00:00:14,09 We'll use a shell script instead 6 00:00:14,09 --> 00:00:18,02 of typing individual commands. 7 00:00:18,02 --> 00:00:19,08 I keep my shell script 8 00:00:19,08 --> 00:00:28,09 in the documents folder type cd Documents, press Enter. 9 00:00:28,09 --> 00:00:32,06 Type ls, press Enter. 10 00:00:32,06 --> 00:00:38,07 The myfw.sh file is our shell script. 11 00:00:38,07 --> 00:00:40,08 Let's open the shell script 12 00:00:40,08 --> 00:00:50,09 by typing nano space myfw.sh, press Enter. 13 00:00:50,09 --> 00:00:52,07 The rules you are seeing here are 14 00:00:52,07 --> 00:00:55,09 the default Netfilter ones, introduced 15 00:00:55,09 --> 00:00:58,08 in our host firewall lesson. 16 00:00:58,08 --> 00:01:03,03 I added a couple of more rules to the input chain 17 00:01:03,03 --> 00:01:06,02 to prevent losing my remote desktop 18 00:01:06,02 --> 00:01:08,07 and secure shell connections. 19 00:01:08,07 --> 00:01:15,02 - p tcp, specifies the transmission control protocol 20 00:01:15,02 --> 00:01:23,00 or tcp used by a remote desktop or secure shell request. 21 00:01:23,00 --> 00:01:31,04 - s 04/0 indicates the scope of the source IPs, 22 00:01:31,04 --> 00:01:36,03 which covers all the possible incoming IP addresses. 23 00:01:36,03 --> 00:01:43,04 - d 04/0 is the same, except 24 00:01:43,04 --> 00:01:46,02 for it's for destination IPs. 25 00:01:46,02 --> 00:01:49,05 Here, I'm saying that the firewall 26 00:01:49,05 --> 00:01:52,06 should accept any incoming and outgoing packets 27 00:01:52,06 --> 00:01:56,09 through port 3389 and 22. 28 00:01:56,09 --> 00:02:02,07 Port 3389 is for remote desktop while 22 is 29 00:02:02,07 --> 00:02:05,00 for secure shell. 30 00:02:05,00 --> 00:02:08,01 Please note that, this is mainly for the convenience 31 00:02:08,01 --> 00:02:12,04 of my demonstrations not too much for security. 32 00:02:12,04 --> 00:02:16,03 There are many more things you can do to harden 33 00:02:16,03 --> 00:02:19,00 these firewall rules. 34 00:02:19,00 --> 00:02:26,06 Let's start by typing iptables. 35 00:02:26,06 --> 00:02:40,01 - A FORWARD -I eth1 -o. 36 00:02:40,01 --> 00:02:49,06 etH10 -j ACCEPT. 37 00:02:49,06 --> 00:02:54,06 - A FORWARD appends a new rule 38 00:02:54,06 --> 00:02:57,06 to the Netfilter forward chain dash. 39 00:02:57,06 --> 00:03:02,02 - i stands for input network interface. 40 00:03:02,02 --> 00:03:07,03 - o stands for output network interface. 41 00:03:07,03 --> 00:03:13,06 The input network interface in this scenario is eth1. 42 00:03:13,06 --> 00:03:19,02 The output network interface is eth0. 43 00:03:19,02 --> 00:03:22,07 The bottom line is that this rule forwards packets 44 00:03:22,07 --> 00:03:26,01 from an internal network interface, eth1 45 00:03:26,01 --> 00:03:31,01 to the external network interface eth0. 46 00:03:31,01 --> 00:03:33,07 Let's add the next rule. 47 00:03:33,07 --> 00:03:53,02 Type iptables -A FORWARD -m state --state. 48 00:03:53,02 --> 00:04:06,05 ESTABLISHED,RELATED -j ACCEPT. 49 00:04:06,05 --> 00:04:11,01 The next rule makes Netfilter accept packets 50 00:04:11,01 --> 00:04:14,02 that are part of an existing connection. 51 00:04:14,02 --> 00:04:18,03 As long as there are packets coming back as responses 52 00:04:18,03 --> 00:04:21,04 to the packets you previously sent out, 53 00:04:21,04 --> 00:04:24,08 the Netfilter firewall will accept them. 54 00:04:24,08 --> 00:04:28,00 - m stands for match. 55 00:04:28,00 --> 00:04:31,05 And the rule is checking whether a packet matches 56 00:04:31,05 --> 00:04:35,03 is established or related state. 57 00:04:35,03 --> 00:04:37,08 Now, let's add another rule. 58 00:04:37,08 --> 00:05:08,01 Type iptables -t nat -A POSTROUTING -O eth0. 59 00:05:08,01 --> 00:05:20,05 - j MASQUERADE, M-A-S-Q-U-E-R-A-D-E. 60 00:05:20,05 --> 00:05:23,06 - t stands for table 61 00:05:23,06 --> 00:05:27,09 and the Netfilter table we're using here is net, 62 00:05:27,09 --> 00:05:30,08 or network address translation. 63 00:05:30,08 --> 00:05:35,01 This rule changes the source IP of all the outgoing packets 64 00:05:35,01 --> 00:05:39,07 into the IP address of the external network interface card 65 00:05:39,07 --> 00:05:42,04 of the Ubuntu router host. 66 00:05:42,04 --> 00:05:47,06 The word masquerade refers to this process of changing 67 00:05:47,06 --> 00:05:51,05 the source IP of all the outgoing packets, so that 68 00:05:51,05 --> 00:05:55,03 they all appear to be coming from a single host 69 00:05:55,03 --> 00:05:59,07 when in fact they are from multiple internal hosts 70 00:05:59,07 --> 00:06:01,08 with different IPS. 71 00:06:01,08 --> 00:06:04,09 Now, we're done with our script. 72 00:06:04,09 --> 00:06:08,08 Let's save it by pressing Control and X together. 73 00:06:08,08 --> 00:06:12,08 Type Y press Enter, 74 00:06:12,08 --> 00:06:15,08 to accept the current file name. 75 00:06:15,08 --> 00:06:18,09 Don't forget to run the shell script. 76 00:06:18,09 --> 00:06:31,06 Type sudo ./myfw.sh press Enter. 77 00:06:31,06 --> 00:06:34,05 The shell script ran without any problems. 78 00:06:34,05 --> 00:06:37,00 It just enabled forwarding.