Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-29-2007, 02:01 PM
|
#1
|
Member
Registered: Nov 2006
Location: England
Distribution: Slackware, Ubuntu feisty
Posts: 41
Rep:
|
iptables firewall design (script)
Hello ppl, having been a linux user for about a year now i have come to know that it provides a powerful firewall using iptables. I want to implement an effective iptables firewall for use on my linux box. Basically, i want to be able to manipulate it from a web based front end...I have gathered lots of firewall rules from the web but i dont know how to go about writing them up in scripts, the file paths to save them (e.g rc.local etc) and how to start the design. I plan using bash for this. I wonder if anyone is able to provide me with info pls. thanks in advance
Distro:CentOS 4.4
Last edited by skylimit; 03-29-2007 at 02:06 PM.
|
|
|
03-29-2007, 06:44 PM
|
#2
|
LQ 5k Club
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,399
|
It sounds like you are intending to implement a firewall for your home network and use it as a router to the internet. For this application, I always recommend my favorite HomeLanSecurity. This is a package specifically designed for the application I described, and has been upgraded and tested by many people for years. It is easy to understand, configure, and install and is easily modified to accomodate any additional needs that you might come up with.
Web based tools to manage a firewall? Sort of contradicts the whole security concept, doesn't it? Anyway, how often are you going to be modifying things? And you said you wanted to use bash, so use bash. Mo bettah.
--- rod.
|
|
|
03-29-2007, 08:02 PM
|
#3
|
Member
Registered: Jul 2003
Location: NY
Distribution: Slackware, Termux
Posts: 878
|
I made a Zsh script, /usr/sbin/firewall, that handles these things for me. Since it's a stand-alone script, it doesn't have to tie into the rc.* startup files.
The basic idea is a case/esac switch block that takes whatever command is entered on the command line and implements that. Enter no command and the "Usage" info is printed.
/usr/sbin/firewall <start|stop|list|ban|save|load|xml>
"stop" deletes any user-made tables and sets everything to accept, and flushes the rules.
"start" sets default rules, masquerading, calls "sysctl -w" to set ipforwarding, rpfilter, and a few others in the kernel. After that, it creates a tables "inspect" and populates that with basic reject/drop rules and blacklists certain networks and TLD's.
"list" is just an "iptables -L INPUT -n -v --line-numbers" dump of the rules.
"ban" is a log and then drop of a IP address into the "inspect" table. Before "expire" from patch-o-matic-ng broke with new kernels it used to set an automatic removal time for the IP.
"save" calles iptables-save on the rules made so far and dumps them to /etc/iptables.site. This allows persistent banning data.
"load" loads up the above saved data later on
"xml" is iptables-xml dump. Can be used with iptables.xslt
My advise is start real simple, maybe a default accept, and add a few rules here and there. Remember, you can see module-specific help like so 'iptables -A INPUT -m some_module -h' will list help for "some_module". There's alot of good reading on http://www.netfilter.org/.
|
|
|
04-01-2007, 07:12 PM
|
#4
|
Member
Registered: Nov 2006
Location: England
Distribution: Slackware, Ubuntu feisty
Posts: 41
Original Poster
Rep:
|
Hi guys thanks for all the post and link. having written up the rules for my firewall using bash scripting, i am faced with the problem of how to merge this scripts with a web interface (created with php) if you get what i mean. In other words i dont know how to get a section of the script to be executed when a particular event occurs. e.g I have a button on the Web GUI which says: Block ICMP pings. now my question is how do i get the section of my firewall rules script dealing with the blocking of ICMP pings to be executed when that button is clicked by a user? hope i am making myself clear here. I've had a look at Guarddog firewall http://dot.kde.org/1020374104/ but cannot really figure this out. any posts highly appreciated. thanks
Edit: Basically i want to be able to manage my firewall using a web interface (like e.g Guarddog. firestarter etc) rather than manually typing in commands in a terminal
thanks in advance for any posts
|
|
|
04-02-2007, 11:57 AM
|
#5
|
LQ 5k Club
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,399
|
You need to write a CGI or PHP script that executes the iptables commands. Since iptables requires you to be root to execute it, you will have to use something like
Code:
'system( "sudo iptables blah blah blah" )'
if you are using PHP or perl.
Your code will have to figure out what the appropriate 'blah blah blah' is. If you still think this is a good idea, there will lots of people who will be anxious to test your server.
--- rod.
|
|
|
04-11-2007, 11:14 PM
|
#6
|
Member
Registered: Nov 2006
Location: England
Distribution: Slackware, Ubuntu feisty
Posts: 41
Original Poster
Rep:
|
Quote:
Originally Posted by theNbomr
It sounds like you are intending to implement a firewall for your home network and use it as a router to the internet. For this application, I always recommend my favorite HomeLanSecurity. This is a package specifically designed for the application I described, and has been upgraded and tested by many people for years. It is easy to understand, configure, and install and is easily modified to accomodate any additional needs that you might come up with.
Web based tools to manage a firewall? Sort of contradicts the whole security concept, doesn't it? Anyway, how often are you going to be modifying things? And you said you wanted to use bash, so use bash. Mo bettah.
--- rod.
|
Hi many thanks for this post. I was wondering if its possible to use this program on a system with one network interface. example my system has just interface in use (eth0)...this causes the program not to load up during startup. i am guessing the script can be modified for this purpose (one WAN interface) but not quite sure how to go about this. any posts appreciated. thanks in advance.
|
|
|
04-12-2007, 01:23 PM
|
#7
|
LQ 5k Club
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,399
|
HomeLanSecurity requires two ethernets. To use less than two ethernets really implies some other far less secure scenario. If your intended use really is to bridge a home or small office LAN to the internet, why not add a second ethernet? The hardware investment is less than $20.
--- rod.
|
|
|
04-12-2007, 05:10 PM
|
#8
|
LQ Newbie
Registered: Apr 2007
Posts: 4
Rep:
|
iptables guides...
Iptables are quite a beast to tame, You can find plenty of online guides for it. The issue is, if you start to write a script you should really understand what you are doing.
I wrote a 4 part guide to iptables and some serious hacking, IF you are interested.
The index of all 4 parts of IPTables explained can be found here.
They are some of my most popular tutorials and people seem to liek them, feedback is of course appreciated.
And sorry for the linking, but I feel that anyone interested in iptables should start well and not get it done more or less..
my 2 cents
time for bed now damn...
//vic
|
|
|
All times are GMT -5. The time now is 11:53 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|