Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been using the search on this board and google with some answers. I have installed Guarddog on my slackware 9.1 system. It works really good after I enable it after boot with the GUI. Guarddog creates a shell script stored at /etc/rc.firewall. From what I have researched, I think I need place this script in the right place so it will exucute at boot time automatically. Is that what I need to do? if so where do I place the script? I have placed a part of the script that it generated for me (maybe it will help). I am not even sure if this is the right kind of script for what I need to do.
-----------------------------------------------------------------------------------------------
# Real code starts here
# If you change the line below then also change the # DISABLED line above.
DISABLE_GUARDDOG=0
if test -z $GUARDDOG_VERBOSE; then
GUARDDOG_VERBOSE=0
fi;
if [ $DISABLE_GUARDDOG -eq 0 ]; then
# Set the path
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin
# Detect which filter command we should use.
FILTERSYS=0
# 0 = unknown, 1 = ipchains, 2 = iptables
# Check for ipchains.
if [ -e /sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/local/sbin/ipchains ]; then
FILTERSYS=1
fi;
# Check for iptables support.
if [ -e /proc/sys/kernel/osrelease ]; then
KERNEL_VERSION=`sed "s/^\([0-9][0-9]*\.[0-9][0-9]*\).*\$/\1/" < /proc/sys/kern
el/osrelease`
if [ $KERNEL_VERSION == "2.6" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.5" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.4" ]; then
if [ -e /sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/local/sbin/iptables ]; then
FILTERSYS=2
fi;
fi;
fi;
if [ $FILTERSYS -eq 0 ]; then
logger -p auth.info -t guarddog "ERROR Can't determine the firewall command! (
Is ipchains or iptables installed?)"
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "ERROR Can't determine the firewall comman
d! (Is ipchains or iptables installed?)"
false
fi;
if [ $FILTERSYS -eq 1 ]; then
###############################
###### ipchains ###############
###############################
logger -p auth.info -t guarddog Configuring ipchains firewall now.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Using ipchains."
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Resetting firewall rules."
# Shut down all traffic
ipchains -P forward DENY
ipchains -P input DENY
ipchains -P output DENY
# Delete any existing chains
ipchains -F
ipchains -X
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Setting kernel parameters."
# Turn on kernel IP spoof protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Set the up TCP timestamps config
echo 0 > /proc/sys/net/ipv4/tcp_timestamps 2> /dev/null
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 2> /dev/null
# Log truly weird packets.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 2> /dev/null
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Set kernel rp_filter. NICs used for IPSEC should not have rp_fitler turned on.
# Find the IPs of any ipsecX NICs
IPSEC_IPS="`ifconfig | gawk '/^ipsec\w/ { grabip = 1}
/inet addr:[[:digit:]\\.]+/ { if(grabip==1) printf \"%s \",gensub(/^.*inet addr:
([[:digit:]\\.]+).*$/,\"\\\\1\",\"g\",$0)
grabip = 0}'`"
# Build a list of NIC names and metching IPs
IP_NIC_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",
$1)}
/inet addr:.*/ {match($0,/inet addr:[[:digit:]\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
printf \"%s_%s\\n\",nic,ip }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Activate rp_filter for each NIC, except for NICs that are using
# an IP that is involved with IPSEC.
for X in $IP_NIC_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
RPF="1"
for SEC_IP in $IPSEC_IPS ; do
if [[ $SEC_IP == $IP ]]; then
RPF="0"
fi
done
echo $RPF > /proc/sys/net/ipv4/conf/$NIC/rp_filter 2> /dev/null
done
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Configuring firewall rules."
# Allow loopback traffic.
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
# Accept broadcasts from ourself.
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
IP_BCAST_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\
",$1)}
/inet addr:.*Bcast/ {match($0,/inet addr:[[:digit:]\\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
match($0,/Bcast:[[:digit:]\\.]+/)
bcast = substr($0,RSTART+6,RLENGTH-6)
printf \"%s_%s_%s\\n\",nic,ip,bcast }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
for X in $IP_BCAST_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
BCAST="`echo \"$X\" | cut -f 3 -d _`"
ipchains -A input -i $NIC -s $IP -d $BCAST -j ACCEPT
done
# Allow certain critical ICMP types
ipchains -A input -p icmp --sport 3 -j ACCEPT # Dest unreachable
ipchains -A output -p icmp --sport 3 -j ACCEPT # Dest unreachable
ipchains -A forward -p icmp --sport 3 -j ACCEPT &> /dev/null # Dest unreachable
ipchains -A input -p icmp --sport 11 -j ACCEPT # Time exceeded
ipchains -A output -p icmp --sport 11 -j ACCEPT # Time exceeded
ipchains -A forward -p icmp --sport 11 -j ACCEPT &> /dev/null # Time exceeded
ipchains -A input -p icmp --sport 12 -j ACCEPT # Parameter Proble
m
ipchains -A output -p icmp --sport 12 -j ACCEPT # Parameter Proble
m
ipchains -A forward -p icmp --sport 12 -j ACCEPT &> /dev/null # Parameter Proble
m
# Work out our local IPs.
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
NIC_IP="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",\$1)}
/inet addr:/ { match(\$0,/inet addr:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+10,RLENGTH-10) }
/Bcast/ { match(\$0,/Bcast:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+6,RLENGTH-6) }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Create the nicfilt chain
ipchains -N nicfilt
GOT_LO=0
NIC_COUNT=0
for X in $NIC_IP ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
ipchains -A nicfilt -i $NIC -j RETURN
# We also take this opportunity to see if we only have a lo interface.
if [ $NIC == "lo" ]; then
GOT_LO=1
fi
let NIC_COUNT=$NIC_COUNT+1
done
IPS="`echo \"$NIC_IP\" | cut -f 2 -d _`"
# Do we have just a lo interface?
if [ $GOT_LO -eq 1 ] && [ $NIC_COUNT -eq 1 ] ; then
MIN_MODE=1
else
MIN_MODE=0
fi
# Are there *any* interfaces?
if [ $NIC_COUNT -eq 0 ] ; then
MIN_MODE=1
fi
# If we only have a lo interface or no interfaces then we assume that DNS
# is not going to work and just skip any iptables calls that need DNS.
ipchains -A nicfilt -l -j DENY
# Create the filter chains
# Create chain to filter traffic going from 'Internet' to 'Local'
ipchains -N f0to1
# Create chain to filter traffic going from 'Local' to 'Internet'
ipchains -N f1to0
# Add rules to the filter chains
# Place DENY and log rules at the end of our filter chains.
# Failing all the rules above, we DENY and maybe log the packet.
ipchains -A f0to1 -l -j DENY
# Failing all the rules above, we DENY and maybe log the packet.
ipchains -A f1to0 -l -j DENY
# Add some temp DNS accept rules to the input and output chains.
# This is so that we can pass domain names to ipchains and have ipchains be
# able to look it up without being blocked by the our half-complete firewall.
if [ $MIN_MODE -eq 0 ] ; then
ipchains -A output -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A input -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT
ipchains -A output -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A input -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi
# Chain to split traffic coming from zone 'Internet' by dest zone
ipchains -N s0
for X in $IPS ; do
ipchains -A s0 -d $X -j f0to1
done
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has a least something in it.
fi
ipchains -A s0 -l -j DENY
# Chain to split traffic coming from zone 'Local' by dest zone
ipchains -N s1
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has a least something in it.
fi
ipchains -A s1 -j f1to0
# Create the srcfilt chain
ipchains -N srcfilt
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has a least something in it.
fi
# Assume internet default rule
ipchains -A srcfilt -j s0
# The output chain is quite simple. We diverge and filter any traffic from
# the local machine and accept the rest. The rest should have come via the
# forward chain, and hence is already filtered.
ipchains -A output -j nicfilt
for X in $IPS ; do
ipchains -A output -s $X -j s1
done
ipchains -A output -j ACCEPT
ipchains -A input -j nicfilt
# Direct local bound traffic on the input chain to the srcfilt chain
for X in $IPS ; do
ipchains -A input -d $X -j srcfilt
done
ipchains -A input -j ACCEPT
# All traffic on the forward chains goes to the srcfilt chain.
ipchains -A forward -j nicfilt &> /dev/null
ipchains -A forward -j srcfilt &> /dev/null
It seems like there should be an option to have it autostart at boot in the program configuration. What's the path to the program? Assuming you type "guarddog" at a console to start it you can find out the path with:
# which guarddog
It's probably /usr/bin/guarddog.
The easiest way if your using kde is to make a link to guarddog in your /home/<user name>/.kde/Autostart directory like so
You wrote: "Guarddog creates a shell script stored at /etc/rc.firewall. From what I have researched, I think I need place this script in the right place so it will exucute at boot time automatically."
As root, do:
chmod +x /etc/rc.firewall
cp /etc/rc.firewall /etc/rc.d/rc.firewall
Well, the original poster wrote that guarddog creates a script at /etc/rc.firewall. In Slackware, that is the wrong location; it should be /etc/rc.d/rc.firewall if you want it to execute on boot. Slackware's default installation actually creates a /etc/rc.d/rc.firewall file, but it is empty by default. The original poster should try moving the guarddog-created rc.firewall script into /etc/rc.d and chmod +x it.
On my Slackware box, I've simply edited /etc/rc.d/rc.firewall and typed in a basic iptables script.
So guarddogs rules are not just started automatically? I thought they were. Im using mandrake 9.2, maybe i need to configure it to start automatically then.
at least they were not when I installed them on slackware. I tested that by going to shields up, a web sight that tests your ports. After every reboot I had to run the program, guarddog, they press apply rules. Then i think it loaded all of the modules and iptables rules.
I was messing around to see, and it seems to me that the firewall rules are being started automatically. I denied access to http and rebooted. When i get back on, http is not accessible until i allow it back in my firewall. Maybe someone could explain this a bit more. I read the little manual for guarddog, not all of it but a good bit of it to at least understand what i was doing, and i dont know if it starts automatically or not.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
