LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-29-2007, 02:01 PM   #1
skylimit
Member
 
Registered: Nov 2006
Location: England
Distribution: Slackware, Ubuntu feisty
Posts: 41

Rep: Reputation: 15
iptables firewall design (script)


Hello ppl, having been a linux user for about a year now i have come to know that it provides a powerful firewall using iptables. I want to implement an effective iptables firewall for use on my linux box. Basically, i want to be able to manipulate it from a web based front end...I have gathered lots of firewall rules from the web but i dont know how to go about writing them up in scripts, the file paths to save them (e.g rc.local etc) and how to start the design. I plan using bash for this. I wonder if anyone is able to provide me with info pls. thanks in advance

Distro:CentOS 4.4

Last edited by skylimit; 03-29-2007 at 02:06 PM.
 
Old 03-29-2007, 06:44 PM   #2
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,399
Blog Entries: 2

Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
It sounds like you are intending to implement a firewall for your home network and use it as a router to the internet. For this application, I always recommend my favorite HomeLanSecurity. This is a package specifically designed for the application I described, and has been upgraded and tested by many people for years. It is easy to understand, configure, and install and is easily modified to accomodate any additional needs that you might come up with.
Web based tools to manage a firewall? Sort of contradicts the whole security concept, doesn't it? Anyway, how often are you going to be modifying things? And you said you wanted to use bash, so use bash. Mo bettah.

--- rod.
 
Old 03-29-2007, 08:02 PM   #3
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: Slackware, Termux
Posts: 878

Rep: Reputation: 309Reputation: 309Reputation: 309Reputation: 309
I made a Zsh script, /usr/sbin/firewall, that handles these things for me. Since it's a stand-alone script, it doesn't have to tie into the rc.* startup files.
The basic idea is a case/esac switch block that takes whatever command is entered on the command line and implements that. Enter no command and the "Usage" info is printed.

/usr/sbin/firewall <start|stop|list|ban|save|load|xml>

"stop" deletes any user-made tables and sets everything to accept, and flushes the rules.

"start" sets default rules, masquerading, calls "sysctl -w" to set ipforwarding, rpfilter, and a few others in the kernel. After that, it creates a tables "inspect" and populates that with basic reject/drop rules and blacklists certain networks and TLD's.

"list" is just an "iptables -L INPUT -n -v --line-numbers" dump of the rules.

"ban" is a log and then drop of a IP address into the "inspect" table. Before "expire" from patch-o-matic-ng broke with new kernels it used to set an automatic removal time for the IP.

"save" calles iptables-save on the rules made so far and dumps them to /etc/iptables.site. This allows persistent banning data.

"load" loads up the above saved data later on

"xml" is iptables-xml dump. Can be used with iptables.xslt

My advise is start real simple, maybe a default accept, and add a few rules here and there. Remember, you can see module-specific help like so 'iptables -A INPUT -m some_module -h' will list help for "some_module". There's alot of good reading on http://www.netfilter.org/.
 
Old 04-01-2007, 07:12 PM   #4
skylimit
Member
 
Registered: Nov 2006
Location: England
Distribution: Slackware, Ubuntu feisty
Posts: 41

Original Poster
Rep: Reputation: 15
Hi guys thanks for all the post and link. having written up the rules for my firewall using bash scripting, i am faced with the problem of how to merge this scripts with a web interface (created with php) if you get what i mean. In other words i dont know how to get a section of the script to be executed when a particular event occurs. e.g I have a button on the Web GUI which says: Block ICMP pings. now my question is how do i get the section of my firewall rules script dealing with the blocking of ICMP pings to be executed when that button is clicked by a user? hope i am making myself clear here. I've had a look at Guarddog firewall http://dot.kde.org/1020374104/ but cannot really figure this out. any posts highly appreciated. thanks

Edit: Basically i want to be able to manage my firewall using a web interface (like e.g Guarddog. firestarter etc) rather than manually typing in commands in a terminal


thanks in advance for any posts
 
Old 04-02-2007, 11:57 AM   #5
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,399
Blog Entries: 2

Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
You need to write a CGI or PHP script that executes the iptables commands. Since iptables requires you to be root to execute it, you will have to use something like
Code:
'system( "sudo iptables blah blah blah" )'
if you are using PHP or perl.
Your code will have to figure out what the appropriate 'blah blah blah' is. If you still think this is a good idea, there will lots of people who will be anxious to test your server.

--- rod.
 
Old 04-11-2007, 11:14 PM   #6
skylimit
Member
 
Registered: Nov 2006
Location: England
Distribution: Slackware, Ubuntu feisty
Posts: 41

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by theNbomr
It sounds like you are intending to implement a firewall for your home network and use it as a router to the internet. For this application, I always recommend my favorite HomeLanSecurity. This is a package specifically designed for the application I described, and has been upgraded and tested by many people for years. It is easy to understand, configure, and install and is easily modified to accomodate any additional needs that you might come up with.
Web based tools to manage a firewall? Sort of contradicts the whole security concept, doesn't it? Anyway, how often are you going to be modifying things? And you said you wanted to use bash, so use bash. Mo bettah.

--- rod.

Hi many thanks for this post. I was wondering if its possible to use this program on a system with one network interface. example my system has just interface in use (eth0)...this causes the program not to load up during startup. i am guessing the script can be modified for this purpose (one WAN interface) but not quite sure how to go about this. any posts appreciated. thanks in advance.
 
Old 04-12-2007, 01:23 PM   #7
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,399
Blog Entries: 2

Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
HomeLanSecurity requires two ethernets. To use less than two ethernets really implies some other far less secure scenario. If your intended use really is to bridge a home or small office LAN to the internet, why not add a second ethernet? The hardware investment is less than $20.

--- rod.
 
Old 04-12-2007, 05:10 PM   #8
vicious1
LQ Newbie
 
Registered: Apr 2007
Posts: 4

Rep: Reputation: 0
iptables guides...

Iptables are quite a beast to tame, You can find plenty of online guides for it. The issue is, if you start to write a script you should really understand what you are doing.

I wrote a 4 part guide to iptables and some serious hacking, IF you are interested.

The index of all 4 parts of IPTables explained can be found here.
They are some of my most popular tutorials and people seem to liek them, feedback is of course appreciated.

And sorry for the linking, but I feel that anyone interested in iptables should start well and not get it done more or less..

my 2 cents



time for bed now damn...

//vic
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Arno's IPTables-Firewall Script To Share Internet dalponis Linux - Software 3 10-09-2007 11:06 AM
Iptables firewall script stop working occassionally Niceman2005 Linux - Security 9 02-16-2007 12:35 AM
Need help writing firewall/iptables script BuckRogers01 Linux - Networking 2 02-26-2006 03:48 PM
Linux Firewall Design Question? gensis Linux - Security 2 10-06-2004 05:28 PM
Iptables Firewall script. Stingreen Linux - Security 4 04-11-2002 08:24 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration