LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   how to start firewall automatically (https://www.linuxquestions.org/questions/linux-software-2/how-to-start-firewall-automatically-107826/)

shanenin 10-23-2003 09:33 PM

how to start firewall automatically
 
I have been using the search on this board and google with some answers. I have installed Guarddog on my slackware 9.1 system. It works really good after I enable it after boot with the GUI. Guarddog creates a shell script stored at /etc/rc.firewall. From what I have researched, I think I need place this script in the right place so it will exucute at boot time automatically. Is that what I need to do? if so where do I place the script? I have placed a part of the script that it generated for me (maybe it will help). I am not even sure if this is the right kind of script for what I need to do.


-----------------------------------------------------------------------------------------------
# Real code starts here
# If you change the line below then also change the # DISABLED line above.
DISABLE_GUARDDOG=0
if test -z $GUARDDOG_VERBOSE; then
GUARDDOG_VERBOSE=0
fi;
if [ $DISABLE_GUARDDOG -eq 0 ]; then
# Set the path
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin
# Detect which filter command we should use.
FILTERSYS=0
# 0 = unknown, 1 = ipchains, 2 = iptables
# Check for ipchains.
if [ -e /sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/local/sbin/ipchains ]; then
FILTERSYS=1
fi;
# Check for iptables support.
if [ -e /proc/sys/kernel/osrelease ]; then
KERNEL_VERSION=`sed "s/^\([0-9][0-9]*\.[0-9][0-9]*\).*\$/\1/" < /proc/sys/kern
el/osrelease`
if [ $KERNEL_VERSION == "2.6" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.5" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.4" ]; then
if [ -e /sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/local/sbin/iptables ]; then
FILTERSYS=2
fi;
fi;
fi;
if [ $FILTERSYS -eq 0 ]; then
logger -p auth.info -t guarddog "ERROR Can't determine the firewall command! (
Is ipchains or iptables installed?)"
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "ERROR Can't determine the firewall comman
d! (Is ipchains or iptables installed?)"
false
fi;
if [ $FILTERSYS -eq 1 ]; then
###############################
###### ipchains ###############
###############################
logger -p auth.info -t guarddog Configuring ipchains firewall now.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Using ipchains."
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Resetting firewall rules."
# Shut down all traffic
ipchains -P forward DENY
ipchains -P input DENY
ipchains -P output DENY

# Delete any existing chains
ipchains -F
ipchains -X

[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Setting kernel parameters."
# Turn on kernel IP spoof protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Set the up TCP timestamps config
echo 0 > /proc/sys/net/ipv4/tcp_timestamps 2> /dev/null
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 2> /dev/null
# Log truly weird packets.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 2> /dev/null
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Set kernel rp_filter. NICs used for IPSEC should not have rp_fitler turned on.
# Find the IPs of any ipsecX NICs
IPSEC_IPS="`ifconfig | gawk '/^ipsec\w/ { grabip = 1}
/inet addr:[[:digit:]\\.]+/ { if(grabip==1) printf \"%s \",gensub(/^.*inet addr:
([[:digit:]\\.]+).*$/,\"\\\\1\",\"g\",$0)
grabip = 0}'`"
# Build a list of NIC names and metching IPs
IP_NIC_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",
$1)}
/inet addr:.*/ {match($0,/inet addr:[[:digit:]\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
printf \"%s_%s\\n\",nic,ip }'`"

# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL

# Activate rp_filter for each NIC, except for NICs that are using
# an IP that is involved with IPSEC.
for X in $IP_NIC_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
RPF="1"
for SEC_IP in $IPSEC_IPS ; do
if [[ $SEC_IP == $IP ]]; then
RPF="0"
fi
done
echo $RPF > /proc/sys/net/ipv4/conf/$NIC/rp_filter 2> /dev/null
done

echo "1024 5999" > /proc/sys/net/ipv4/ip_local_port_range 2> /dev/null

[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Configuring firewall rules."
# Allow loopback traffic.
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT

# Accept broadcasts from ourself.
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
IP_BCAST_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\
",$1)}
/inet addr:.*Bcast/ {match($0,/inet addr:[[:digit:]\\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
match($0,/Bcast:[[:digit:]\\.]+/)
bcast = substr($0,RSTART+6,RLENGTH-6)
printf \"%s_%s_%s\\n\",nic,ip,bcast }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
for X in $IP_BCAST_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
BCAST="`echo \"$X\" | cut -f 3 -d _`"
ipchains -A input -i $NIC -s $IP -d $BCAST -j ACCEPT
done

# Allow certain critical ICMP types
ipchains -A input -p icmp --sport 3 -j ACCEPT # Dest unreachable
ipchains -A output -p icmp --sport 3 -j ACCEPT # Dest unreachable
ipchains -A forward -p icmp --sport 3 -j ACCEPT &> /dev/null # Dest unreachable
ipchains -A input -p icmp --sport 11 -j ACCEPT # Time exceeded
ipchains -A output -p icmp --sport 11 -j ACCEPT # Time exceeded
ipchains -A forward -p icmp --sport 11 -j ACCEPT &> /dev/null # Time exceeded
ipchains -A input -p icmp --sport 12 -j ACCEPT # Parameter Proble
m
ipchains -A output -p icmp --sport 12 -j ACCEPT # Parameter Proble
m
ipchains -A forward -p icmp --sport 12 -j ACCEPT &> /dev/null # Parameter Proble
m
# Work out our local IPs.
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
NIC_IP="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",\$1)}
/inet addr:/ { match(\$0,/inet addr:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+10,RLENGTH-10) }
/Bcast/ { match(\$0,/Bcast:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+6,RLENGTH-6) }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Create the nicfilt chain
ipchains -N nicfilt
GOT_LO=0
NIC_COUNT=0
for X in $NIC_IP ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
ipchains -A nicfilt -i $NIC -j RETURN
# We also take this opportunity to see if we only have a lo interface.
if [ $NIC == "lo" ]; then
GOT_LO=1
fi
let NIC_COUNT=$NIC_COUNT+1
done
IPS="`echo \"$NIC_IP\" | cut -f 2 -d _`"
# Do we have just a lo interface?
if [ $GOT_LO -eq 1 ] && [ $NIC_COUNT -eq 1 ] ; then
MIN_MODE=1
else
MIN_MODE=0
fi
# Are there *any* interfaces?
if [ $NIC_COUNT -eq 0 ] ; then
MIN_MODE=1
fi
# If we only have a lo interface or no interfaces then we assume that DNS
# is not going to work and just skip any iptables calls that need DNS.
ipchains -A nicfilt -l -j DENY

# Create the filter chains
# Create chain to filter traffic going from 'Internet' to 'Local'
ipchains -N f0to1
# Create chain to filter traffic going from 'Local' to 'Internet'
ipchains -N f1to0
# Add rules to the filter chains

# Traffic from 'Internet' to 'Local'

# Rejected traffic from 'Internet' to 'Local'

# Traffic from 'Local' to 'Internet'
# Allow 'ftp'
# Control connection
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 21:21 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 21:21 --dport 1024:5999 -j ACCEPT
# Data connection
ipchains -A f0to1 -p tcp --sport 20:20 --dport 1024:65535 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 1024:65535 --dport 20:20 -j ACCEPT
# Data connection passive mode
ipchains -A f1to0 -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 1024:65535 --dport 1024:65535 -j ACCEPT
# Allow 'pop3'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 110:110 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 110:110 --dport 1024:5999 -j ACCEPT
# Allow 'msnmessenger'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 1863:1863 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 1863:1863 --dport 1024:5999 -j ACCEPT
# Allow 'http'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 80:80 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 80:80 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8080:8080 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 8080:8080 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8008:8008 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 8008:8008 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8000:8000 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 8000:8000 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8888:8888 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 8888:8888 --dport 1024:5999 -j ACCEPT
# Allow 'domain'
ipchains -A f1to0 -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT
ipchains -A f1to0 -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A f0to1 -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
# Allow 'aim'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 5190:5193 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 5190:5193 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p udp --sport 1024:5999 --dport 5190:5193 -j ACCEPT
# Allow 'smtp'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 25:25 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 25:25 --dport 1024:5999 -j ACCEPT
# Allow 'https'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 443:443 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 443:443 --dport 1024:5999 -j ACCEPT

# Rejected traffic from 'Local' to 'Internet'

# Place DENY and log rules at the end of our filter chains.
# Failing all the rules above, we DENY and maybe log the packet.
ipchains -A f0to1 -l -j DENY
# Failing all the rules above, we DENY and maybe log the packet.
ipchains -A f1to0 -l -j DENY

# Add some temp DNS accept rules to the input and output chains.
# This is so that we can pass domain names to ipchains and have ipchains be
# able to look it up without being blocked by the our half-complete firewall.
if [ $MIN_MODE -eq 0 ] ; then
ipchains -A output -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A input -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT
ipchains -A output -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A input -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi

# Chain to split traffic coming from zone 'Internet' by dest zone
ipchains -N s0
for X in $IPS ; do
ipchains -A s0 -d $X -j f0to1
done
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has a least something in it.
fi
ipchains -A s0 -l -j DENY

# Chain to split traffic coming from zone 'Local' by dest zone
ipchains -N s1
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has a least something in it.
fi
ipchains -A s1 -j f1to0
# Create the srcfilt chain
ipchains -N srcfilt
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has a least something in it.
fi
# Assume internet default rule
ipchains -A srcfilt -j s0

# Remove the temp DNS accept rules
if [ $MIN_MODE -eq 0 ] ; then
ipchains -D output -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -D input -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT
ipchains -D output -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -D input -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi

# The output chain is quite simple. We diverge and filter any traffic from
# the local machine and accept the rest. The rest should have come via the
# forward chain, and hence is already filtered.
ipchains -A output -j nicfilt
for X in $IPS ; do
ipchains -A output -s $X -j s1
done
ipchains -A output -j ACCEPT

ipchains -A input -j nicfilt
# Direct local bound traffic on the input chain to the srcfilt chain
for X in $IPS ; do
ipchains -A input -d $X -j srcfilt
done
ipchains -A input -j ACCEPT

# All traffic on the forward chains goes to the srcfilt chain.
ipchains -A forward -j nicfilt &> /dev/null
ipchains -A forward -j srcfilt &> /dev/null

logger -p auth.info -t guarddog Finished configuring firewall
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Finished."
fi;
if [ $FILTERSYS -eq 2 ]; then
###############################
###### iptables firewall ######
###############################
logger -p auth.info -t guarddog Configuring iptables firewall now.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Using iptables."
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Resetting firewall rules."
# Shut down all traffic
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

# Delete any existing chains
iptables -F
iptables -X

# Load any special kernel modules.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Loading kernel modules."
modprobe ip_conntrack_ftp

[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Setting kernel parameters."

kilgoretrout 10-24-2003 02:47 AM

It seems like there should be an option to have it autostart at boot in the program configuration. What's the path to the program? Assuming you type "guarddog" at a console to start it you can find out the path with:

# which guarddog

It's probably /usr/bin/guarddog.

The easiest way if your using kde is to make a link to guarddog in your /home/<user name>/.kde/Autostart directory like so

# ln -s /usr/bin/guarddog /home/<user name>/.kde/Autostart/guarddog

There are many other ways to do it by editing your init scripts but the above is the easiest if you use kde.

spurious 10-24-2003 02:48 AM

You wrote: "Guarddog creates a shell script stored at /etc/rc.firewall. From what I have researched, I think I need place this script in the right place so it will exucute at boot time automatically."

As root, do:
chmod +x /etc/rc.firewall
cp /etc/rc.firewall /etc/rc.d/rc.firewall

joseph 10-24-2003 03:55 AM

as root do :
chkconfig --level 2345 ipchains on
it will start your guarddog at boot up

spurious 10-25-2003 06:28 PM

Slackware does not use chkconfig; that command is specific to Red Hat and Red Hat - derived distros.

mechanicalg0d 10-25-2003 07:19 PM

I thought guarddog just worked with the iptables, saved its settings, and they are forever in effect.

spurious 10-25-2003 07:48 PM

Well, the original poster wrote that guarddog creates a script at /etc/rc.firewall. In Slackware, that is the wrong location; it should be /etc/rc.d/rc.firewall if you want it to execute on boot. Slackware's default installation actually creates a /etc/rc.d/rc.firewall file, but it is empty by default. The original poster should try moving the guarddog-created rc.firewall script into /etc/rc.d and chmod +x it.

On my Slackware box, I've simply edited /etc/rc.d/rc.firewall and typed in a basic iptables script.

shanenin 10-25-2003 11:10 PM

spurious that is what I did. It is working good now. thanks

mechanicalg0d 10-26-2003 03:29 AM

So guarddogs rules are not just started automatically? I thought they were. Im using mandrake 9.2, maybe i need to configure it to start automatically then.

shanenin 10-26-2003 11:43 AM

at least they were not when I installed them on slackware. I tested that by going to shields up, a web sight that tests your ports. After every reboot I had to run the program, guarddog, they press apply rules. Then i think it loaded all of the modules and iptables rules.

mechanicalg0d 10-26-2003 03:04 PM

I was messing around to see, and it seems to me that the firewall rules are being started automatically. I denied access to http and rebooted. When i get back on, http is not accessible until i allow it back in my firewall. Maybe someone could explain this a bit more. I read the little manual for guarddog, not all of it but a good bit of it to at least understand what i was doing, and i dont know if it starts automatically or not.


All times are GMT -5. The time now is 07:32 AM.