{"id":8602,"date":"2024-01-06T00:12:59","date_gmt":"2024-01-06T00:12:59","guid":{"rendered":"https:\/\/cheapwindowsvps.com\/blog\/how-to-configure-iptables-using-firehol-a-comprehensive-guide\/"},"modified":"2025-01-20T09:54:08","modified_gmt":"2025-01-20T09:54:08","slug":"how-to-configure-iptables-using-firehol-a-comprehensive-guide","status":"publish","type":"post","link":"https:\/\/cheapwindowsvps.com\/blog\/how-to-configure-iptables-using-firehol-a-comprehensive-guide\/","title":{"rendered":"How to Configure iptables Using Firehol: A Comprehensive Guide"},"content":{"rendered":"

Firehol is an open-source tool used to configure Linux firewalls, such as those based on iptables. Advanced users can delve deeper into the rule set with optional parameters. Firehol ensures that the rules are coherent in both directions.<\/div>\n

By default, Firehol generates rules for both IPv4 and IPv6. This can be changed in the configuration file firehol-defaults.con<\/em>f by setting the variables ENABLE_IPV4 and ENABLE_IPV6 <\/em>to either 0 or 1 as needed.<\/p>\n

Installing and configuring Firehol<\/h2>\n

Install Firehol on Debian and Ubuntu with:<\/p>\n<\/p>\n

sudo apt install firehol<\/pre>\n<\/p>\n
Configure it through the file firehol.conf <\/em>in the \/etc\/firehol\/<\/em> directory. You can open it with:<\/p>\n<\/p>\n
sudo nano firehol.conf<\/pre>\n<\/p>\n
Editing the firehol.conf configuration file<\/a><\/p>\n<\/p>\n
\/etc\/default\/firehol<\/em> <\/p>\n
START_FIREHOL=YES<\/p>
<\/pre>\n
Adding settings for Firehol to start automatically<\/a><\/div>\n
sudo \/etc\/init.d\/firehol start<\/p>
<\/pre>\n<\/p>\n
Keep in mind that the service might be installed in a different directory. To enable autostart for the service use this command:<\/p>\n
sudo update-rc.d firehol defaults<\/p>
<\/pre>\n
Firehol QuickStart<\/h2>\n
To quickly configure a functional firewall, you can generate a sample configuration with the most important functions:<\/p>\n<\/p>\n
sudo firehol helpme > \/tmp\/firehol.conf<\/pre>\n<\/p>\n
Firehol reads the local system services and adjusts the configuration accordingly.<\/p>\n<\/p>\n
Link<\/a><\/p>\n
Generating basic configuration for Firehol<\/p>\n<\/p>\n
firehol-defaults.co<\/em><\/p>\n
\/etc\/firehol<\/em> <\/p>\n
The options in firehol-default.conf<\/em> come into play when no rule or variable is set in firehol.conf.<\/em> This is useful, for example, for logging.<\/p>\n
<\/a><\/p>\n
The variables in firehol-defaults.conf control the behavior of Firehol<\/p>\n<\/div>\n
Firehol operates as a stateful olution<\/h2>\n<\/p>\n
Firehol effectively matches both requests and responses. This is possible because the Linux kernel is aware of all active connections and consequently determines expected packets from those that are not. Firehol’s usage of the In-Kernel-Connection-Tracker allows it to automatically dispose of all packets considered invalid.<\/p>\n<\/p>\n
Setting a new rule using Firehol means focusing mainly on the requests. Through this, the tool automatically generates the matching answer or reply in the iptables.<\/p>\n<\/p>\n
Maintenance of individual rules occurs through simple commands inside firehol.conf<\/em>. For illustration, if there is an active HTTP service on the server, merely typing the command into the file will do:<\/p>\n<\/p>\n
server http accept<\/p>
<\/pre>\n<\/p>\n
To allow HTTP client requests, use this command:<\/p>\n<\/p>\n
client http accept<\/p>
<\/pre>\n<\/p>\n
To filter traffic, it’s not necessary to define every service. However, you can also create your own services, for example with these commands:<\/p>\n<\/p>\n
server_myhttp_ports=\"tcp\/80,443\"<\/p>
client_myhttp_ports=\"default\"<\/p>
<\/pre>\n<\/p>\n
Then, you can allow packets through the server:<\/p>\n
server myhttp accept<\/p>
client myhttp accept<\/p>
<\/pre>\n
It’s also possible to use multiple ports:<\/p>\n
server_emule_ports=\"tcp\/4662,64397,7037,23213,25286 udp\/4672\"<\/p>
client_emule_ports=\"default\"<\/p>
<\/pre>\n<\/p>\n
Using multiple protocols for all ports can be configured this way:<\/p>\n<\/p>\n
server_sip_ports=\"tcp,udp\/5060\"<\/p>
client_sip_ports=\"default\"<\/p>
<\/pre>\n<\/p>\n
Defining Rules with Firehol<\/h2>\n<\/p>\n
In principle, the firewall applies rules to all packets entering the system. For example, if the server smtp accept is entered in firehol.conf<\/em>, the firewall allows SMTP packets.<\/p>\n<\/p>\n
However, it’s possible to create additional rules for Requests using parameters. These are explained in detail in the documentation. For example, to match all SMTP requests from IP address 1.1.1.1 to SMTP server 2.2.2.2, use this command:<\/p>\n<\/p>\n
server smtp accept src 1.1.1.1 dst 2.2.2.2<\/pre>\n<\/p>\n
Troubleshooting with Firehol: Syslog and NFLOG<\/h2>\n<\/p>\n
It may happen that the firewall blocks packets, disrupting communication. The documentation provides guidelines on how to troubleshoot.<\/p>\n<\/p>\n
Firehol records its events in the system log, which can be utilized for analysis. It’s located in the \/var\/log\/messages<\/em> or \/var\/log\/syslog <\/em>directory.<\/p>\n
In there, you can see which packets Firehol implicitly discards, that is, without a rule in the config file. Hence, it’s also useful to set up logging in advance.<\/p>\n
The developers of Firehol suggest using NFLOG for logging firewall actions. To accomplish this, add the line in the file \/etc\/firehol\/firehol-defaults.conf<\/em>:<\/p>\n
FIREHOL_LOG_MODE=\"NFLOG\"<\/p>
<\/pre>\n<\/p>\n
This relieves the system log.<\/p>\n<\/p>\n
With this command, the firewall shows which actions it performs based on the current configuration:<\/p>\n<\/p>\n
firehol debug<\/p>
<\/pre>\n<\/p>\n
This helps identify problems. Since Firehol runs as a bash script, additional information can be logged by adding the following lines to the configuration:<\/p>\n<\/p>\n
Subscribe to 4sysops newsletter!<\/h2><\/p>\n","protected":false},"excerpt":{"rendered":"
Firehol is an open-source tool used to configure Linux firewalls, such as those based on iptables. Advanced users can delve deeper into the rule set with optional parameters. Firehol ensures that the rules are coherent in both directions. By default, Firehol generates rules for both IPv4 and IPv6. This can be changed in the configuration […]<\/p>\n","protected":false},"author":1,"featured_media":8603,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[92,151,116,114],"tags":[],"class_list":["post-8602","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles","category-firewalls","category-linux","category-security"],"_links":{"self":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/8602","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/comments?post=8602"}],"version-history":[{"count":2,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/8602\/revisions"}],"predecessor-version":[{"id":10308,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/8602\/revisions\/10308"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media\/8603"}],"wp:attachment":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media?parent=8602"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/categories?post=8602"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/tags?post=8602"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}