LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Blogs > arniekat
User Name
Password

Notices

Rate this Entry

Slackware-14.1-Firewalls

Posted 06-22-2014 at 06:55 PM by arniekat

This tutorial will go through some of the choices you have for Software Firewalls. Along with firewalls, you can make various networking and system settings changes to your running kernel by placing various settings in /etc/sysctl.conf. Some other firewall configuration tools available are: Shorewall and FirewallBuilder, but I have not used them myself and are not shown here.

SYSCTL.CONF

This file controls kernel settings and does not exist in a Slackware default installation. It must be created. The previous tutorial has information regarding this file. The two applications that should have an /etc/sysctl.conf file are: FireHol and UFW.

FIREWALL SCRIPT

If there is a script located at /etc/rc.d/rc.firewall and it is executable, the Slackware startup scripts will run it. Slax Linux 7.0.8 has a Firewall Script that can be copied over from the Live CD to your own computer and named /etc/rc.d/rc.firewall. You have to burn the Live CD and run it on a machine and copy the file /etc/rc.d/rc.FireWall to a USB Drive. I normally place the sysctl commands into /etc/sysctl.conf and keep the IPTables commands as /etc/rc.d/rc.firewall. You could run it as-is, but be sure that you do NOT HAVE an /etc/sysctl.conf file! The FireWall script handles that in its default configuration. If you have the Slax FireWall script, here are the changes I make:

Erase the following lines

SYSCTLW="/sbin/sysctl -q -w"

# Disable routing triangulation. Respond to queries out
# the same interface, not another. Helps to maintain state
# Also protects against IP spoofing

$SYSCTLW net.ipv4.conf.all.rp_filter=1

# Enable logging of packets with malformed IP addresses,
# Disable redirects,
# Disable source routed packets,
# Disable acceptance of ICMP redirects,
# Turn on protection from Denial of Service (DOS) attacks,
# Disable responding to ping broadcasts,
# Enable IP routing. Required if your firewall is protecting a network, NAT included

$SYSCTLW net.ipv4.conf.all.log_martians=1
$SYSCTLW net.ipv4.conf.all.send_redirects=0
$SYSCTLW net.ipv4.conf.all.accept_source_route=0
$SYSCTLW net.ipv4.conf.all.accept_redirects=0
$SYSCTLW net.ipv4.tcp_syncookies=1
$SYSCTLW net.ipv4.icmp_echo_ignore_broadcasts=1
$SYSCTLW net.ipv4.ip_forward=1

The beginning portion of the script will now appear as follows:

if [ "$1" = "start" ]; then

IPTABLES="/usr/sbin/iptables"

# Firewall initialization, remove everything, start with clean tables
$IPTABLES -F # remove all rules
$IPTABLES -X # delete all user-defined chains

If you need to allow some ports, just add them to this line or feel free to close some ports by removing the Port Number from this line:

ALLOWED_PORTS="20 21 22 25 80 110 143 443"

Check /etc/services for Port Numbers/Services.

Save the file and exit. Now, copy the FireWall script over to /etc/rc.d/rc.firewall and make it executable.

# chmod +x /etc/rc.d/rc.firewall

ARNO-IPTABLES-FIREWALL

Arno-iptables-firewall is a front-end for iptables. Its configuration script will set up a secure and restrictive firewall by just asking a few questions. This includes configuring internal networks for Internet access via NAT and potential network services like http or ssh. Moreover, it provides many advanced additional features that can be enabled in the well documented configuration file. Note that arno-iptables-firewall controls the kernel settings that would otherwise be in /etc/sysctl.conf. Be sure you do NOT HAVE an /etc/sysctl.conf file!

Compile and install the arno-iptables-firewall-2.0.1e package.

PLEASE NOTE - The setup script is NOT going to be run automatically after your package is installed. In order to do that you'll have to issue the following command:

# arno-iptables-firewall-configure

Arno's Iptables Firewall Script v2.0.1e
Configure Script v1.02d
-------------------------------------------------------------------------------
Do you want the init script to be verbose (print out what it's doing) (Y/N)? Yes
Your firewall.conf is not configured yet.

Do you want me to help you setup a basic configuration (Y/N)? Yes
'/etc/arno-iptables-firewall/firewall.conf' -> '/etc/arno-iptables-firewall.conf.bak'
We will now setup the most basic settings of the firewall

What is your external (aka. internet) interface (multiple interfaces should be comma separated)? wlan0
Does your external interface get its IP through DHCP (Y/N)? Yes
Do you want to enable IPv6 support (Y/N)? No
Do you want to be pingable from the internet (Y/N)? No
Which TCP ports do you want to allow from the internet? (eg. 22=SSH, 80=HTTP, etc.) (comma separate multiple ports)? Enter
Which UDP ports do you want to allow from the internet? (eg. 53=DNS, etc.) (comma separate multiple ports)? Enter
Do you have an internal(aka LAN) interface that you want to setup (Y/N)? No

** Configuration done **

-------------------------------------------------------------------------------
** NOTE: 1) You can now (manually) (re)start the firewall by executing **
** "/etc/rc.d/rc.arno-iptables-firewall start" or **
** "/etc/rc.d/rc.arno-iptables-firewall restart" **
** It is recommended however to first review the settings in **
** /etc/arno-iptables-firewall/firewall.conf! **
** **
** 2) In order to start the firewall automatically at boot-time, **
** you will need to manually create in /etc/rc.d/ an appropriate **
** symlink, named "rc.firewall", pointing to the startup script. **
** To do that, issue the following command: **
** **
** ln -sv /etc/rc.d/rc.arno-iptables-firewall /etc/rc.d/rc.firewall **
** **
** Delete the link if you wish to disable firewall startup at boot- **
** time, or "chmod -x" the startup script for the same result. **
-------------------------------------------------------------------------------

Test the firewall by starting it manually using one of the following commands:

# /etc/rc.d/rc.arno-iptables-firewall start
# arno-iptables-firewall start

Arno's Iptables Firewall Script v2.0.1e
-------------------------------------------------------------------------------
Platform: Linux 3.10.17 x86_64
Checking/probing Iptables modules:
Loaded kernel module ip_tables.
Loaded kernel module nf_conntrack.
Loaded kernel module nf_conntrack_ftp.
Loaded kernel module xt_conntrack.
Loaded kernel module xt_limit.
Loaded kernel module xt_state.
Loaded kernel module xt_multiport.
Loaded kernel module iptable_filter.
Loaded kernel module iptable_mangle.
Loaded kernel module ipt_REJECT.
Loaded kernel module xt_LOG.
Loaded kernel module xt_TCPMSS.
Loaded kernel module iptable_nat.
Module check done...
Setting the kernel ring buffer to only log panic messages to the console
Configuring general kernel parameters:
Setting the max. amount of simultaneous connections to 16384
net.nf_conntrack_max = 16384
net.netfilter.nf_conntrack_udp_timeout = 60
net.netfilter.nf_conntrack_acct = 1
Configuring kernel parameters:
Disabling send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.wlan0.send_redirects = 0
Enabling protection against source routed packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.wlan0.accept_source_route = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
Enabling packet forwarding
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.wlan0.forwarding = 1
Setting some kernel performance options
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_low_latency = 0
Enabling reduction of the DoS'ing ability
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_rfc1337 = 1
net.ipv4.ip_local_port_range = 32768 61000
Enabling SYN-flood protection via SYN-cookies
net.ipv4.tcp_syncookies = 1
Enabling anti-spoof with rp_filter
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.wlan0.rp_filter = 1
net.ipv4.icmp_echo_ignore_all = 0
Disabling the logging of martians
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.wlan0.log_martians = 0
Disabling the acception of ICMP-redirect messages
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.wlan0.accept_redirects = 0
Disabling ECN (Explicit Congestion Notification)
net.ipv4.tcp_ecn = 0
Enabling kernel support for dynamic IPs
net.ipv4.ip_dynaddr = 1
Enabling PMTU discovery
net.ipv4.ip_no_pmtu_disc = 0
Setting default TTL=64
net.ipv4.ip_default_ttl = 64
Flushing route table
net.ipv4.route.flush = 1
Kernel setup done...
Initializing firewall chains
Setting all default policies to DROP while "setting up firewall rules"
IPv4 mode selected but IPv6 available, DROP all IPv6 packets
Using loglevel "info" for syslogd

Setting up firewall rules:
-------------------------------------------------------------------------------
Enabling setting the maximum packet size via MSS
Logging of stealth scans (nmap probes etc.) enabled
Logging of packets with bad TCP-flags enabled
Logging of INVALID TCP packets disabled
Logging of INVALID UDP packets disabled
Logging of INVALID ICMP packets disabled
Logging of fragmented packets enabled
Logging of access from reserved nets disabled
Reading custom rules from /etc/arno-iptables-firewall/custom-rules
Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins...
Loaded 0 plugin(s)...
Setting up external(INET) INPUT policy
Logging of ICMP flooding enabled
Enabling support for DHCP-assigned-IP (DHCP client)
Logging of explicitly blocked hosts enabled
Logging of denied local output connections enabled
Packets will NOT be checked for reserved source addresses
Denying ANYHOST to send IPv4 ICMP-requests (ping)
Logging of possible stealth scans enabled
Logging of (other) packets to PRIVILEGED TCP ports enabled
Logging of (other) packets to PRIVILEGED UDP ports enabled
Logging of (other) packets to UNPRIVILEGED TCP ports enabled
Logging of (other) packets to UNPRIVILEGED UDP ports enabled
Logging of IGMP packets enabled
Logging of dropped ICMP-request(ping) packets enabled
Logging of dropped other ICMP packets enabled
Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets enabled
Setting up external(INET) OUTPUT policy
Applying external(INET) policy to interface: wlan0 (without an external subnet specified)
Security is ENFORCED for external interface(s) in the FORWARD chain
Logging of dropped FORWARD packets enabled

Jun 21 20:52:22 All firewall rules applied.

Now, open up a Web Browser and see if you can connect to the Internet.

To enable firewall startup at boot-time you'll need to create a symlink as follows (remove the link to disable automatic firewall startup, or "chmod -x" the startup script for the same result):

# ln -sv /etc/rc.d/rc.arno-iptables-firewall /etc/rc.d/rc.firewall
# chmod +x /etc/rc.d/rc.arno-iptables-firewall

FIREHOL

FireHOL 1.296 is an iptables firewall generator producing stateful iptables packet filtering firewalls on Linux hosts and routers. FireHOL is a language to express firewalling rules, not just a script that produces some kind of a firewall. Before you configure FireHol, be sure to turn off all the services you are not using, since FireHol creates rules for all the services that are currently running (i.e. SSH, Samba, NFS, etc.). There is a tutorial on my blog to help you.

Compile and install firehol-1.296 from SlackBuilds.org

Change /etc/rc.d/rc.firehol so it is executable:

# chmod +x /etc/rc.d/rc.firehol

Create a soft-link to /etc/rc.d/rc.firehol called /etc/rc.d/rc.firewall

# cd /etc/rc.d
# ln -s rc.firehol rc.firewall

Run the /usr/sbin/firehol-get-iana to get a list of Non-routable addresses.

# /usr/sbin/firehol-get-iana
WARNING - Please install 'aggregate-flim' to shrink the list of IPs.

Fetching IANA IPv4 Address Space, from:
http://www.iana.org/assignments/ipv4...ress-space.txt

FOUND THE FOLLOWING RESERVED IP RANGES:
RESERVED_IPS="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8 "

Differences between the fetched list and the list installed in
/etc/firehol/RESERVED_IPS:
# diff /etc/firehol/RESERVED_IPS /tmp/iana.1486.22122
diff: /etc/firehol/RESERVED_IPS: No such file or directory

Would you like to save this list to /etc/firehol/RESERVED_IPS
so that FireHOL will automatically use it from now on?

yes or no > yes
New RESERVED_IPS written to '/etc/firehol/RESERVED_IPS'.

If the script does not work, here is how you can manually create the file. You will have to create a file called /etc/firehol/RESERVED_IPS with the Non-routable addresses contained within. You can get the information at:

http://www.iana.org/assignments/ipv4...ress-space.txt

You need the prefix of the entries with a status of "RESERVED" excepting the entries with a Designation of "Multicast" (224-239)

Here is what the handmade file /etc/firehol/RESERVED_IPS (current as of June 22, 2014) looks like:

# This file is the /etc/firehol/RESERVED_IPS
# If FireHOL complains about this file, update it manually from info at
# http://www.iana.org/assignments/ipv4...ress-space.txt
# It contains only RESERVED entries from the website.
# The ownership should be set to root:root
# The permissions should be set to 0644
# This file was last updated June 22, 2014
0.0.0.0/8
10.0.0.0/8
127.0.0.0/8
240.0.0.0/8
241.0.0.0/8
242.0.0.0/8
243.0.0.0/8
244.0.0.0/8
245.0.0.0/8
246.0.0.0/8
247.0.0.0/8
248.0.0.0/8
249.0.0.0/8
250.0.0.0/8
251.0.0.0/8
252.0.0.0/8
253.0.0.0/8
254.0.0.0/8
255.0.0.0/8

To create a configuration file using your current services:

# firehol helpme > /etc/firehol/firehol.conf

: firehol.sh,v 1.296 2013/01/06 23:49:08 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
Home Page: http://firehol.sourceforge.net

--------------------------------------------------------------------------------
FireHOL controls your firewall. You should want to get updates quickly.
Subscribe (at the home page) to get notified of new releases.
--------------------------------------------------------------------------------

FireHOL will now try to figure out its configuration file on this system.
Please have all the services and network interfaces on this system running.

Your running firewall will not be stopped or altered.

You can re-run the same command with output redirection to get the config
to a file. Example:

/usr/sbin/firehol helpme >/tmp/firehol.conf

Building list of known services.
Please wait...
Press RETURN to start. [continue] >

--- snip --- snip --- snip --- snip ---

Now edit the configuration file to check that everything is OK:

# vi /etc/firehol/firehol.conf

Here is the file /etc/firehol/firehol.conf from my box with DHCP. The configuration file has two interfaces. Whatever changes you make on Interface No. 1 should be made to Interface No. 2. I had to delete "dst 192.168.1.86" from the configuration variable "interface eth0 if1 src "192.168.1.0/24" dst 192.168.1.86" since I am using DHCP. I had to comment-out the "server custom if1_1 tcp/1714 any accept" rule since that is the port for KDE-Connect, which I am not using at present.

#!/usr/sbin/firehol
# : firehol.sh,v 1.296 2013/01/06 23:49:08 ktsaou Exp $
#
# This config will have the same effect as NO PROTECTION!
# Everything that found to be running, is allowed.
# YOU SHOULD NEVER USE THIS CONFIG AS-IS.
#
# Date: Sun Jun 22 16:11:45 PDT 2014 on host apple
#
# IMPORTANT:
# The TODOs bellow, are *YOUR* to-dos!
#

# INFO: Processing interface 'eth0'
# INFO: Processing IP 192.168.1.86 of interface 'eth0'
# INFO: Is 192.168.1.86 part of network 192.168.1.0/24? yes

# Interface No 1.
# The purpose of this interface is to control the traffic
# on the eth0 interface with IP 192.168.1.86 (net: "192.168.1.0/24").
# TODO: Change "if1" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# Remove 'dst 192.168.1.86' if this is dynamically assigned.
# interface eth0 if1 src "192.168.1.0/24" dst 192.168.1.86
interface eth0 if1 src "192.168.1.0/24"

# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop

# If you don't trust the clients behind eth0 (net "192.168.1.0/24"),
# add something like this.
# > protection strong

# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server ICMP accept

# The following eth0 services are not known by FireHOL:
# tcp/1714

# Custom service definitions for the above unknown services.
# server custom if1_1 tcp/1714 any accept

# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
# client services you really need.
client all accept

# INFO: Is 192.168.1.254 part of network 192.168.1.0/24? yes
# INFO: Default gateway 192.168.1.254 is part of network 192.168.1.0/24

After making the same changes to Interface No. 1 and Interface No. 2, save the file and exit.

To start the firewall, type:

# firehol start

FireHOL: Saving your old firewall to a temporary file: [ OK ]
FireHOL: Processing file /etc/firehol/firehol.conf: [ OK ]
FireHOL: Activating new firewall (205 rules): [ OK ]

Now, open a Web Browser and see if you have Internet access. To actually see that it is working type this command and it will list all the firewall parameters for the currently running firewall.

# firehol status

Now you will get a huge list of IPTables rules.

Restart your box and check that your firewall loads on reboot and you are done. If you turn on any services, re-run the "firehol helpme" command to create a new configuration file with openings in your firewall for the services.

UNCOMPLICATED FIREWALL (UFW)

Compile and install ufw-0.33 from SlackBuilds.

Edit the file /etc/rc.d/rc.local and add the following:

if [ -x /etc/init.d/ufw ]; then
/etc/init.d/ufw start
fi

Save the file, exit and reboot.

Open a Terminal and type the following as root:

# ufw status

It should say "Active"

Optional - If you want to manage your UFW firewall using a Graphical Interface, compile and install kcm_ufw-0.4.3 which works with the KDE Desktop. It is available from SlackBuilds.org and has the following features as shown on SlackBuilds.org:

1. Enable/disable firewall
2. Configure firewall default settings
3. Add, edit, and remove rules
4. Re-order rules via drag'n'drop
5. Creation, and basic manipulation, of firewall profiles
6. Import/export of firewall profiles
7. Setting of some IP tables modules

After installing kcm_ufw, the firewall application is available in KDE Menu--Settings--System Settings--Network and Connectivity--Firewall
Posted in Uncategorized
Views 263 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 04:07 AM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration