how to start firewall automatically
I have been using the search on this board and google with some answers. I have installed Guarddog on my slackware 9.1 system. It works really good after I enable it after boot with the GUI. Guarddog creates a shell script stored at /etc/rc.firewall. From what I have researched, I think I need place this script in the right place so it will exucute at boot time automatically. Is that what I need to do? if so where do I place the script? I have placed a part of the script that it generated for me (maybe it will help). I am not even sure if this is the right kind of script for what I need to do.
----------------------------------------------------------------------------------------------- # Real code starts here # If you change the line below then also change the # DISABLED line above. DISABLE_GUARDDOG=0 if test -z $GUARDDOG_VERBOSE; then GUARDDOG_VERBOSE=0 fi; if [ $DISABLE_GUARDDOG -eq 0 ]; then # Set the path PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin # Detect which filter command we should use. FILTERSYS=0 # 0 = unknown, 1 = ipchains, 2 = iptables # Check for ipchains. if [ -e /sbin/ipchains ]; then FILTERSYS=1 fi; if [ -e /usr/sbin/ipchains ]; then FILTERSYS=1 fi; if [ -e /usr/local/sbin/ipchains ]; then FILTERSYS=1 fi; # Check for iptables support. if [ -e /proc/sys/kernel/osrelease ]; then KERNEL_VERSION=`sed "s/^\([0-9][0-9]*\.[0-9][0-9]*\).*\$/\1/" < /proc/sys/kern el/osrelease` if [ $KERNEL_VERSION == "2.6" ]; then KERNEL_VERSION="2.4" fi; if [ $KERNEL_VERSION == "2.5" ]; then KERNEL_VERSION="2.4" fi; if [ $KERNEL_VERSION == "2.4" ]; then if [ -e /sbin/iptables ]; then FILTERSYS=2 fi; if [ -e /usr/sbin/iptables ]; then FILTERSYS=2 fi; if [ -e /usr/local/sbin/iptables ]; then FILTERSYS=2 fi; fi; fi; if [ $FILTERSYS -eq 0 ]; then logger -p auth.info -t guarddog "ERROR Can't determine the firewall command! ( Is ipchains or iptables installed?)" [ $GUARDDOG_VERBOSE -eq 1 ] && echo "ERROR Can't determine the firewall comman d! (Is ipchains or iptables installed?)" false fi; if [ $FILTERSYS -eq 1 ]; then ############################### ###### ipchains ############### ############################### logger -p auth.info -t guarddog Configuring ipchains firewall now. [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Using ipchains." [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Resetting firewall rules." # Shut down all traffic ipchains -P forward DENY ipchains -P input DENY ipchains -P output DENY # Delete any existing chains ipchains -F ipchains -X [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Setting kernel parameters." # Turn on kernel IP spoof protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null # Set the up TCP timestamps config echo 0 > /proc/sys/net/ipv4/tcp_timestamps 2> /dev/null # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 2> /dev/null # Log truly weird packets. echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 2> /dev/null # Switch the current language for a moment GUARDDOG_BACKUP_LANG=$LANG GUARDDOG_BACKUP_LC_ALL=$LC_ALL LANG=US LC_ALL=US export LANG export LC_ALL # Set kernel rp_filter. NICs used for IPSEC should not have rp_fitler turned on. # Find the IPs of any ipsecX NICs IPSEC_IPS="`ifconfig | gawk '/^ipsec\w/ { grabip = 1} /inet addr:[[:digit:]\\.]+/ { if(grabip==1) printf \"%s \",gensub(/^.*inet addr: ([[:digit:]\\.]+).*$/,\"\\\\1\",\"g\",$0) grabip = 0}'`" # Build a list of NIC names and metching IPs IP_NIC_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\", $1)} /inet addr:.*/ {match($0,/inet addr:[[:digit:]\.]+/) ip=substr($0,RSTART+10,RLENGTH-10) printf \"%s_%s\\n\",nic,ip }'`" # Restore the language setting LANG=$GUARDDOG_BACKUP_LANG LC_ALL=$GUARDDOG_BACKUP_LC_ALL export LANG export LC_ALL # Activate rp_filter for each NIC, except for NICs that are using # an IP that is involved with IPSEC. for X in $IP_NIC_PAIRS ; do NIC="`echo \"$X\" | cut -f 1 -d _`" IP="`echo \"$X\" | cut -f 2 -d _`" RPF="1" for SEC_IP in $IPSEC_IPS ; do if [[ $SEC_IP == $IP ]]; then RPF="0" fi done echo $RPF > /proc/sys/net/ipv4/conf/$NIC/rp_filter 2> /dev/null done echo "1024 5999" > /proc/sys/net/ipv4/ip_local_port_range 2> /dev/null [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Configuring firewall rules." # Allow loopback traffic. ipchains -A input -i lo -j ACCEPT ipchains -A output -i lo -j ACCEPT # Accept broadcasts from ourself. # Switch the current language for a moment GUARDDOG_BACKUP_LANG=$LANG GUARDDOG_BACKUP_LC_ALL=$LC_ALL LANG=US LC_ALL=US export LANG export LC_ALL IP_BCAST_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\ ",$1)} /inet addr:.*Bcast/ {match($0,/inet addr:[[:digit:]\\.]+/) ip=substr($0,RSTART+10,RLENGTH-10) match($0,/Bcast:[[:digit:]\\.]+/) bcast = substr($0,RSTART+6,RLENGTH-6) printf \"%s_%s_%s\\n\",nic,ip,bcast }'`" # Restore the language setting LANG=$GUARDDOG_BACKUP_LANG LC_ALL=$GUARDDOG_BACKUP_LC_ALL export LANG export LC_ALL for X in $IP_BCAST_PAIRS ; do NIC="`echo \"$X\" | cut -f 1 -d _`" IP="`echo \"$X\" | cut -f 2 -d _`" BCAST="`echo \"$X\" | cut -f 3 -d _`" ipchains -A input -i $NIC -s $IP -d $BCAST -j ACCEPT done # Allow certain critical ICMP types ipchains -A input -p icmp --sport 3 -j ACCEPT # Dest unreachable ipchains -A output -p icmp --sport 3 -j ACCEPT # Dest unreachable ipchains -A forward -p icmp --sport 3 -j ACCEPT &> /dev/null # Dest unreachable ipchains -A input -p icmp --sport 11 -j ACCEPT # Time exceeded ipchains -A output -p icmp --sport 11 -j ACCEPT # Time exceeded ipchains -A forward -p icmp --sport 11 -j ACCEPT &> /dev/null # Time exceeded ipchains -A input -p icmp --sport 12 -j ACCEPT # Parameter Proble m ipchains -A output -p icmp --sport 12 -j ACCEPT # Parameter Proble m ipchains -A forward -p icmp --sport 12 -j ACCEPT &> /dev/null # Parameter Proble m # Work out our local IPs. # Switch the current language for a moment GUARDDOG_BACKUP_LANG=$LANG GUARDDOG_BACKUP_LC_ALL=$LC_ALL LANG=US LC_ALL=US export LANG export LC_ALL NIC_IP="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",\$1)} /inet addr:/ { match(\$0,/inet addr:[[:digit:]\\.]+/) printf \"%s_%s\\n\",nic,substr(\$0,RSTART+10,RLENGTH-10) } /Bcast/ { match(\$0,/Bcast:[[:digit:]\\.]+/) printf \"%s_%s\\n\",nic,substr(\$0,RSTART+6,RLENGTH-6) }'`" # Restore the language setting LANG=$GUARDDOG_BACKUP_LANG LC_ALL=$GUARDDOG_BACKUP_LC_ALL export LANG export LC_ALL # Create the nicfilt chain ipchains -N nicfilt GOT_LO=0 NIC_COUNT=0 for X in $NIC_IP ; do NIC="`echo \"$X\" | cut -f 1 -d _`" IP="`echo \"$X\" | cut -f 2 -d _`" ipchains -A nicfilt -i $NIC -j RETURN # We also take this opportunity to see if we only have a lo interface. if [ $NIC == "lo" ]; then GOT_LO=1 fi let NIC_COUNT=$NIC_COUNT+1 done IPS="`echo \"$NIC_IP\" | cut -f 2 -d _`" # Do we have just a lo interface? if [ $GOT_LO -eq 1 ] && [ $NIC_COUNT -eq 1 ] ; then MIN_MODE=1 else MIN_MODE=0 fi # Are there *any* interfaces? if [ $NIC_COUNT -eq 0 ] ; then MIN_MODE=1 fi # If we only have a lo interface or no interfaces then we assume that DNS # is not going to work and just skip any iptables calls that need DNS. ipchains -A nicfilt -l -j DENY # Create the filter chains # Create chain to filter traffic going from 'Internet' to 'Local' ipchains -N f0to1 # Create chain to filter traffic going from 'Local' to 'Internet' ipchains -N f1to0 # Add rules to the filter chains # Traffic from 'Internet' to 'Local' # Rejected traffic from 'Internet' to 'Local' # Traffic from 'Local' to 'Internet' # Allow 'ftp' # Control connection ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 21:21 -j ACCEPT ipchains -A f0to1 -p tcp ! -y --sport 21:21 --dport 1024:5999 -j ACCEPT # Data connection ipchains -A f0to1 -p tcp --sport 20:20 --dport 1024:65535 -j ACCEPT ipchains -A f1to0 -p tcp ! -y --sport 1024:65535 --dport 20:20 -j ACCEPT # Data connection passive mode ipchains -A f1to0 -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT ipchains -A f0to1 -p tcp ! -y --sport 1024:65535 --dport 1024:65535 -j ACCEPT # Allow 'pop3' ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 110:110 -j ACCEPT ipchains -A f0to1 -p tcp ! -y --sport 110:110 --dport 1024:5999 -j ACCEPT # Allow 'msnmessenger' ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 1863:1863 -j ACCEPT ipchains -A f0to1 -p tcp ! -y --sport 1863:1863 --dport 1024:5999 -j ACCEPT # Allow 'http' ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 80:80 -j ACCEPT ipchains -A f0to1 -p tcp ! -y --sport 80:80 --dport 1024:5999 -j ACCEPT ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8080:8080 -j ACCEPT ipchains -A f0to1 -p tcp ! -y --sport 8080:8080 --dport 1024:5999 -j ACCEPT ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8008:8008 -j ACCEPT ipchains -A f0to1 -p tcp ! -y --sport 8008:8008 --dport 1024:5999 -j ACCEPT ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8000:8000 -j ACCEPT ipchains -A f0to1 -p tcp ! -y --sport 8000:8000 --dport 1024:5999 -j ACCEPT ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8888:8888 -j ACCEPT ipchains -A f0to1 -p tcp ! -y --sport 8888:8888 --dport 1024:5999 -j ACCEPT # Allow 'domain' ipchains -A f1to0 -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT ipchains -A f0to1 -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT ipchains -A f1to0 -p udp --sport 0:65535 --dport 53:53 -j ACCEPT ipchains -A f0to1 -p udp --sport 53:53 --dport 0:65535 -j ACCEPT # Allow 'aim' ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 5190:5193 -j ACCEPT ipchains -A f0to1 -p tcp ! -y --sport 5190:5193 --dport 1024:5999 -j ACCEPT ipchains -A f1to0 -p udp --sport 1024:5999 --dport 5190:5193 -j ACCEPT # Allow 'smtp' ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 25:25 -j ACCEPT ipchains -A f0to1 -p tcp ! -y --sport 25:25 --dport 1024:5999 -j ACCEPT # Allow 'https' ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 443:443 -j ACCEPT ipchains -A f0to1 -p tcp ! -y --sport 443:443 --dport 1024:5999 -j ACCEPT # Rejected traffic from 'Local' to 'Internet' # Place DENY and log rules at the end of our filter chains. # Failing all the rules above, we DENY and maybe log the packet. ipchains -A f0to1 -l -j DENY # Failing all the rules above, we DENY and maybe log the packet. ipchains -A f1to0 -l -j DENY # Add some temp DNS accept rules to the input and output chains. # This is so that we can pass domain names to ipchains and have ipchains be # able to look it up without being blocked by the our half-complete firewall. if [ $MIN_MODE -eq 0 ] ; then ipchains -A output -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT ipchains -A input -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT ipchains -A output -p udp --sport 0:65535 --dport 53:53 -j ACCEPT ipchains -A input -p udp --sport 53:53 --dport 0:65535 -j ACCEPT fi # Chain to split traffic coming from zone 'Internet' by dest zone ipchains -N s0 for X in $IPS ; do ipchains -A s0 -d $X -j f0to1 done if [ $MIN_MODE -eq 0 ] ; then true # make sure this if [] has a least something in it. fi ipchains -A s0 -l -j DENY # Chain to split traffic coming from zone 'Local' by dest zone ipchains -N s1 if [ $MIN_MODE -eq 0 ] ; then true # make sure this if [] has a least something in it. fi ipchains -A s1 -j f1to0 # Create the srcfilt chain ipchains -N srcfilt if [ $MIN_MODE -eq 0 ] ; then true # make sure this if [] has a least something in it. fi # Assume internet default rule ipchains -A srcfilt -j s0 # Remove the temp DNS accept rules if [ $MIN_MODE -eq 0 ] ; then ipchains -D output -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT ipchains -D input -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT ipchains -D output -p udp --sport 0:65535 --dport 53:53 -j ACCEPT ipchains -D input -p udp --sport 53:53 --dport 0:65535 -j ACCEPT fi # The output chain is quite simple. We diverge and filter any traffic from # the local machine and accept the rest. The rest should have come via the # forward chain, and hence is already filtered. ipchains -A output -j nicfilt for X in $IPS ; do ipchains -A output -s $X -j s1 done ipchains -A output -j ACCEPT ipchains -A input -j nicfilt # Direct local bound traffic on the input chain to the srcfilt chain for X in $IPS ; do ipchains -A input -d $X -j srcfilt done ipchains -A input -j ACCEPT # All traffic on the forward chains goes to the srcfilt chain. ipchains -A forward -j nicfilt &> /dev/null ipchains -A forward -j srcfilt &> /dev/null logger -p auth.info -t guarddog Finished configuring firewall [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Finished." fi; if [ $FILTERSYS -eq 2 ]; then ############################### ###### iptables firewall ###### ############################### logger -p auth.info -t guarddog Configuring iptables firewall now. [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Using iptables." [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Resetting firewall rules." # Shut down all traffic iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT DROP # Delete any existing chains iptables -F iptables -X # Load any special kernel modules. [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Loading kernel modules." modprobe ip_conntrack_ftp [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Setting kernel parameters." |
It seems like there should be an option to have it autostart at boot in the program configuration. What's the path to the program? Assuming you type "guarddog" at a console to start it you can find out the path with:
# which guarddog It's probably /usr/bin/guarddog. The easiest way if your using kde is to make a link to guarddog in your /home/<user name>/.kde/Autostart directory like so # ln -s /usr/bin/guarddog /home/<user name>/.kde/Autostart/guarddog There are many other ways to do it by editing your init scripts but the above is the easiest if you use kde. |
You wrote: "Guarddog creates a shell script stored at /etc/rc.firewall. From what I have researched, I think I need place this script in the right place so it will exucute at boot time automatically."
As root, do: chmod +x /etc/rc.firewall cp /etc/rc.firewall /etc/rc.d/rc.firewall |
as root do :
chkconfig --level 2345 ipchains on it will start your guarddog at boot up |
Slackware does not use chkconfig; that command is specific to Red Hat and Red Hat - derived distros.
|
I thought guarddog just worked with the iptables, saved its settings, and they are forever in effect.
|
Well, the original poster wrote that guarddog creates a script at /etc/rc.firewall. In Slackware, that is the wrong location; it should be /etc/rc.d/rc.firewall if you want it to execute on boot. Slackware's default installation actually creates a /etc/rc.d/rc.firewall file, but it is empty by default. The original poster should try moving the guarddog-created rc.firewall script into /etc/rc.d and chmod +x it.
On my Slackware box, I've simply edited /etc/rc.d/rc.firewall and typed in a basic iptables script. |
spurious that is what I did. It is working good now. thanks
|
So guarddogs rules are not just started automatically? I thought they were. Im using mandrake 9.2, maybe i need to configure it to start automatically then.
|
at least they were not when I installed them on slackware. I tested that by going to shields up, a web sight that tests your ports. After every reboot I had to run the program, guarddog, they press apply rules. Then i think it loaded all of the modules and iptables rules.
|
I was messing around to see, and it seems to me that the firewall rules are being started automatically. I denied access to http and rebooted. When i get back on, http is not accessible until i allow it back in my firewall. Maybe someone could explain this a bit more. I read the little manual for guarddog, not all of it but a good bit of it to at least understand what i was doing, and i dont know if it starts automatically or not.
|
All times are GMT -5. The time now is 07:32 AM. |