Page 1 of 1

Correcting an existing Firewall on Ubuntu Server 12.04

New postPosted: Tue Sep 16, 2014 9:46 am
by michael-lentz
I am familiar with using IPTOOLS and UFW and have set up new firewalls.
I have 'inherited' a remote server with a very complicated firewall that I want to get rid of, and start ove using SSH.

There is a file called /root/firewall.rules. Does this firewall get automatically loaded at reboot ?
If I delete this file and reboot, will I get the Default Firewall ?

Re: Correcting an existing Firewall on Ubuntu Server 12.04

New postPosted: Wed Sep 17, 2014 2:20 pm
by Patton
michael-lentz wrote:I am familiar with using IPTOOLS and UFW and have set up new firewalls.
I have 'inherited' a remote server with a very complicated firewall that I want to get rid of, and start ove using SSH.

There is a file called /root/firewall.rules. Does this firewall get automatically loaded at reboot ?
If I delete this file and reboot, will I get the Default Firewall ?


/root/firewall.rules maybe loaded by the previous server account owner in a startup script but not by default. I would sugguest simply renaming the file, rebooting and then running
Code: [Select all] [Expand/Collapse] [Download] (Untitled.bsh)
  1. iptables -L

Re: Correcting an existing Firewall on Ubuntu Server 12.04

New postPosted: Thu Sep 18, 2014 8:39 am
by michael-lentz
I removed the /root/firewall.rules file, and rebooted.
I ran my own firewall.sh and firewall looked good.
After a few minutes I checked, and the firewall returned to the previous firewall.
I ran my own firewall.sh again, and now it is staying.

Something must be loading the old firewall from somewhere else.
I did a Grep of the system for a string I found inside the old firewall but got no hits.

Re: Correcting an existing Firewall on Ubuntu Server 12.04

New postPosted: Thu Sep 18, 2014 10:07 am
by Patton
michael-lentz wrote:I removed the /root/firewall.rules file, and rebooted.
I ran my own firewall.sh and firewall looked good.
After a few minutes I checked, and the firewall returned to the previous firewall.
I ran my own firewall.sh again, and now it is staying.

Something must be loading the old firewall from somewhere else.
I did a Grep of the system for a string I found inside the old firewall but got no hits.


If its loading sometimes after the system is rebooted I would chech
Code: [Select all] [Expand/Collapse] [Download] (Untitled.bsh)
  1. crontab -e


Look for lines like iptables-save > /root/somefile or service iptables save > /root/somefile or /sbin/iptables-restore < /root/somefile


Also

Code: [Select all] [Expand/Collapse] [Download] (Untitled.bsh)
  1. for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done


will find all crontabs by all users both legit and malicious.