Learning by Doing: How I Built My First Linux Firewall from Scratch

#!/bin/bash

# Resolve google.com and extract IP addresses
IP_ADDRESSES=$(nslookup google.com | grep 'Address' | awk '{print $2}' | tail -n +2)

# Block each resolved IP address using iptables
for IP in $IP_ADDRESSES; do
    sudo iptables -A INPUT -s $IP -j DROP
    sudo iptables -A OUTPUT -d $IP -j DROP
done

Just a few hours ago, I knew nothing about this code. It might look complex, but with a little patience and the right guidance, I was able to not only understand what each line does but also implement it to solve a real-world problem. This is the story of how I went from a beginner with no experience in Linux or virtual machines to someone who can confidently use and explain this script.

In this post, I’ll walk you through the steps I took—from setting up a virtual environment with Ubuntu to exploring the core functions of Linux, and finally, to writing and implementing the Bash script above. By the end of this journey, I had developed a solid understanding of how to manage and secure a Linux system—skills that are foundational in the field of cybersecurity.

What Is VirtualBox and Ubuntu?

Before diving into the details, let’s break down what I was working with:

• VirtualBox: This is a free and open-source software that allows you to run different operating systems on your computer without affecting your main setup. It’s like having a separate computer inside your computer.
• Ubuntu: Ubuntu is a popular Linux-based operating system. Unlike Windows or macOS, Ubuntu is known for being secure, customizable, and free to use. It’s often used by cybersecurity professionals for testing and development.

Why Set Up a Virtual Machine?

Setting up a virtual machine (VM) is a safe way to experiment with new software or operating systems. If something goes wrong, it won’t affect your main computer. For cybersecurity enthusiasts, VMs are a great way to practice without any real-world risks.

My First Steps: Installing and Exploring

1. Installing VirtualBox and Ubuntu: I began by installing VirtualBox on my laptop and setting up Ubuntu as the virtual machine. This gave me a secure environment to explore Ubuntu without worrying about making mistakes.
2. Gaining Administrative Access: In Ubuntu, I used a command called sudo to gain administrative access, which allowed me to make changes to the system. This is similar to how you might need an administrator password to install software on your computer. Here’s what the command looked like:

   sudo su

After entering my password, I had full control over the system—a crucial skill in managing and securing IT environments.

3. Learning About Networking: One of the first things I did was check the network settings. Just like your computer connects to the internet through Wi-Fi or Ethernet, the virtual machine connects to the internet through virtual networks. I learned how to view these network connections and what they mean using this command:

   ifconfig

This command displayed the network interfaces, showing details like IP addresses and subnet masks—key information for understanding and securing network configurations.

Understanding File Permissions and Security

One key aspect of cybersecurity is understanding how file permissions work. File permissions determine who can read, write, or execute a file. In Ubuntu, I experimented with creating and managing files:

• Creating Files: I created a simple text file with the following command:

  touch firstfile.txt

This created an empty file named firstfile.txt on my desktop.

• Managing Permissions: I then learned how to check and change the permissions of this file. Here’s how I viewed the file’s permissions:

  ls -alh

The output showed something like this:

  -rw-r--r-- 1 root root 0 Aug 6 10:00 firstfile.txt

This string tells us who can do what with the file. For example, -rw-r--r-- means the owner can read and write the file, but others can only read it.

Permissions in Binary:

• Each permission—read (r), write (w), and execute (x)—is represented by a binary digit (1 for allowed, 0 for denied).
• The permissions rw-r--r-- translate to 110 100 100 in binary, or 644 in octal. Understanding how to interpret and modify these permissions is critical for maintaining security, ensuring that sensitive files are only accessible to those who need them.
• Changing Permissions: I used the chmod command to make the file executable by the owner:

  chmod 744 firstfile.txt

This adjustment in file permissions is a fundamental aspect of securing systems, particularly in environments where data protection is paramount.

The Importance of Network Security

As I continued exploring, I experimented with network settings. This part of my journey highlighted the importance of securing network connections:

• Configuring Network Interfaces: I edited a file that controls network settings using the following command:

  sudo vim /etc/network/interfaces

Inside this file, I set up the loopback interface and configured the main network interface (enp0s3) to use a static IP address:

  auto enp0s3
  iface enp0s3 inet static
      address 10.0.2.16
      netmask 255.255.255.0
      gateway 10.0.2.2

This configuration ensured that my virtual machine had a consistent network identity, which is crucial for network security and management.

• Dealing with DNS Issues: When I had trouble connecting to websites, I learned that the issue was related to DNS (Domain Name System) settings. To fix it, I added DNS servers directly to the network interface configuration:

  dns-nameservers 8.8.8.8 8.8.4.4

This change resolved the issue, allowing me to connect to the internet securely. Understanding how DNS settings affect connectivity is important for managing network configurations and ensuring reliable access to online resources.

• Creating a Transparent Network Bridge: To deepen my understanding of networking, I set up a transparent network bridge using the bridge-utils package. This allowed my virtual machine to act as if it were directly connected to the physical network, giving me greater control over network configurations and making the VM behave more like a physical device on the network. This setup is particularly useful for scenarios that require advanced networking features, such as network monitoring or penetration testing.

Here’s the configuration I used in /etc/network/interfaces to set up the bridge:

auto br0
iface br0 inet dhcp
    bridge_ports enp0s3
    bridge_fd 0
    bridge_maxwait 0
    bridge_stp off

Explanation:

• auto br0: This command automatically brings up the bridge interface br0 when the system starts.
• iface br0 inet dhcp: This sets the bridge interface br0 to use DHCP, allowing it to automatically receive an IP address from the network.
• bridge_ports enp0s3: This command adds the network interface enp0s3 to the bridge br0, allowing traffic to pass through the bridge.
• bridge_fd 0: The bridge_fd (forward delay) parameter is set to 0, meaning there is no delay before the bridge starts forwarding packets. This is typically set to a higher value in environments where network loops are a concern, but here it’s disabled for immediate packet forwarding.
• bridge_maxwait 0: This setting prevents any delay before the bridge interface is brought up, which is useful for faster network initialization.
• bridge_stp off: This disables Spanning Tree Protocol (STP), which prevents network loops. In a controlled environment like this, disabling STP can improve performance by reducing overhead.

This configuration ensures that my VM has a network connection that behaves just like a physical machine on the network, which is crucial for realistic testing and network simulations.

Understanding iptables: Managing Network Traffic with Precision

Before diving into Bash scripting, I needed to understand iptables, a powerful tool in Linux for managing network traffic. iptables allows you to define rules that control how incoming and outgoing packets are handled by the system. This is crucial for implementing security measures like firewalls, which can block unwanted traffic and protect systems from unauthorized access.

Basic iptables Commands:

• Listing Rules: To see the current rules in place, you can use:

  sudo iptables -L

This command lists all the rules in the INPUT, FORWARD, and OUTPUT chains. Each rule specifies how packets should be handled—whether they should be accepted, rejected, or dropped.

• Adding a Rule: To block incoming traffic from a specific IP address, you can use:

  sudo iptables -A INPUT -s 192.168.1.100 -j DROP

This command tells iptables to append (-A) a rule to the INPUT chain, specifying that any packets from the source IP address `192.168.1.100 should be dropped (-j DROP`).

• Removing a Rule: To delete a rule, you need to specify the rule’s number:

  sudo iptables -D INPUT 1

This command deletes the first rule in the INPUT chain.

With this foundational understanding of iptables, I was ready to create a Bash script that automates the process of blocking specific IP addresses.

Automating Security with Bash Scripts

Once I became comfortable with basic commands and network configurations, I decided to delve into automating tasks using Bash scripts. My first script was a simple one that printed a message to the terminal:

#!/bin/bash
echo "First Bash Script"

This might seem basic, but it taught me the fundamentals of writing and executing scripts in Linux. The #!/bin/bash line, known as a shebang, tells the system to use the Bash shell to run the script.

After gaining confidence with simple scripts, I explored more complex automation, such as blocking specific IP addresses. This led me to create the blockips.sh script, which needed to run automatically each time my system started.

Creating the blockips.sh Script:
With a grasp of iptables, I wrote a script that resolves the IP addresses associated with google.com and blocks them using iptables. Here’s the code:

#!/bin/bash

# Resolve google.com and extract IP addresses
IP_ADDRESSES=$(nslookup google.com | grep 'Address' | awk '{print $2}' | tail -n +2)

# Block each resolved IP address using iptables
for IP in $IP_ADDRESSES; do
    sudo iptables -A INPUT -s $IP -j DROP
    sudo iptables -A OUTPUT -d $IP -j DROP
done

Explanation:

• nslookup google.com: This command queries the DNS to resolve the IP addresses associated with google.com.
• grep 'Address' | awk '{print $2}' | tail -n +2: These commands filter the output to extract only the IP addresses.
• grep 'Address' searches the output for lines containing the word “Address.”
• awk '{print $2}' extracts the second column, which contains the IP addresses.
• tail -n +2 removes the first line, which is typically the DNS server’s address, leaving only the resolved IPs for the target domain.
• iptables -A INPUT -s $IP -j DROP: This command adds a rule to block incoming traffic from the resolved IP addresses.
• iptables -A OUTPUT -d $IP -j DROP: Similarly, this command blocks outgoing traffic to the resolved IP addresses.

Using rc.local for Automation:
To ensure that the blockips.sh script runs at startup, I edited the /etc/rc.local file. This file is executed after all other startup scripts, making it an ideal place to automate security measures. Here’s how I set it up:

sudo vim /etc/rc.local

I added the following lines to execute my script:

#!/bin/sh -e
/opt/blockips.sh
exit 0

The #!/bin/sh -e at the top tells the system to use the Bourne shell (sh) to run the script. The /opt/blockips.sh line calls my script, and exit 0 ensures the script exits without errors.

By setting up this automation, I ensured that my virtual machine would automatically block traffic to and from google.com every time it started. This was a significant step forward in understanding how to implement automated security measures in a Linux environment.

Technical Takeaways: Key Cybersecurity Skills Developed

Through this hands-on experience, I developed several important cybersecurity skills:

1. System Administration: Gaining root access and managing system settings gave me a deeper understanding of how to secure and configure a Linux environment, which is essential for any cybersecurity professional.
2. Network Configuration and Security: By configuring network interfaces, setting up a transparent bridge, and managing DNS settings, I learned how to ensure network reliability and security. This included setting static IPs, bridging networks, and understanding the significance of DNS in maintaining secure connections.
3. File Permissions and Security: I gained practical knowledge of file permissions, learning how to control access to sensitive files. Understanding how to set and interpret permissions is a key part of protecting data within any system.
4. Bash Scripting for Automation: Writing and automating Bash scripts to enforce security policies on startup showed me how powerful automation can be in managing and securing systems. This skill is particularly useful for creating repeatable, consistent security measures.
5. Problem-Solving and Troubleshooting: Encountering and resolving issues such as DNS failures, incorrect network configurations, and setting up network bridges helped me build strong problem-solving skills, which are crucial in the cybersecurity field.

Conclusion

Cybersecurity is a field that touches every aspect of our digital lives, from the files we store to the networks we connect to. My journey with Ubuntu on VirtualBox was my first real experience with both Linux and virtual machines, and it allowed me to develop a strong foundation in key cybersecurity concepts. Whether you’re looking to start a career in cybersecurity or just want to understand how to protect your digital life, there’s no better time to start exploring.