LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-23-2003, 09:33 PM   #1
shanenin
Member
 
Registered: Aug 2003
Location: Rochester, MN, U.S.A
Distribution: Gentoo
Posts: 987

Rep: Reputation: 30
how to start firewall automatically


I have been using the search on this board and google with some answers. I have installed Guarddog on my slackware 9.1 system. It works really good after I enable it after boot with the GUI. Guarddog creates a shell script stored at /etc/rc.firewall. From what I have researched, I think I need place this script in the right place so it will exucute at boot time automatically. Is that what I need to do? if so where do I place the script? I have placed a part of the script that it generated for me (maybe it will help). I am not even sure if this is the right kind of script for what I need to do.


-----------------------------------------------------------------------------------------------
# Real code starts here
# If you change the line below then also change the # DISABLED line above.
DISABLE_GUARDDOG=0
if test -z $GUARDDOG_VERBOSE; then
GUARDDOG_VERBOSE=0
fi;
if [ $DISABLE_GUARDDOG -eq 0 ]; then
# Set the path
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin
# Detect which filter command we should use.
FILTERSYS=0
# 0 = unknown, 1 = ipchains, 2 = iptables
# Check for ipchains.
if [ -e /sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/local/sbin/ipchains ]; then
FILTERSYS=1
fi;
# Check for iptables support.
if [ -e /proc/sys/kernel/osrelease ]; then
KERNEL_VERSION=`sed "s/^\([0-9][0-9]*\.[0-9][0-9]*\).*\$/\1/" < /proc/sys/kern
el/osrelease`
if [ $KERNEL_VERSION == "2.6" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.5" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.4" ]; then
if [ -e /sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/local/sbin/iptables ]; then
FILTERSYS=2
fi;
fi;
fi;
if [ $FILTERSYS -eq 0 ]; then
logger -p auth.info -t guarddog "ERROR Can't determine the firewall command! (
Is ipchains or iptables installed?)"
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "ERROR Can't determine the firewall comman
d! (Is ipchains or iptables installed?)"
false
fi;
if [ $FILTERSYS -eq 1 ]; then
###############################
###### ipchains ###############
###############################
logger -p auth.info -t guarddog Configuring ipchains firewall now.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Using ipchains."
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Resetting firewall rules."
# Shut down all traffic
ipchains -P forward DENY
ipchains -P input DENY
ipchains -P output DENY

# Delete any existing chains
ipchains -F
ipchains -X

[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Setting kernel parameters."
# Turn on kernel IP spoof protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Set the up TCP timestamps config
echo 0 > /proc/sys/net/ipv4/tcp_timestamps 2> /dev/null
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 2> /dev/null
# Log truly weird packets.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 2> /dev/null
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Set kernel rp_filter. NICs used for IPSEC should not have rp_fitler turned on.
# Find the IPs of any ipsecX NICs
IPSEC_IPS="`ifconfig | gawk '/^ipsec\w/ { grabip = 1}
/inet addr:[[:digit:]\\.]+/ { if(grabip==1) printf \"%s \",gensub(/^.*inet addr:
([[:digit:]\\.]+).*$/,\"\\\\1\",\"g\",$0)
grabip = 0}'`"
# Build a list of NIC names and metching IPs
IP_NIC_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",
$1)}
/inet addr:.*/ {match($0,/inet addr:[[:digit:]\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
printf \"%s_%s\\n\",nic,ip }'`"

# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL

# Activate rp_filter for each NIC, except for NICs that are using
# an IP that is involved with IPSEC.
for X in $IP_NIC_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
RPF="1"
for SEC_IP in $IPSEC_IPS ; do
if [[ $SEC_IP == $IP ]]; then
RPF="0"
fi
done
echo $RPF > /proc/sys/net/ipv4/conf/$NIC/rp_filter 2> /dev/null
done

echo "1024 5999" > /proc/sys/net/ipv4/ip_local_port_range 2> /dev/null

[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Configuring firewall rules."
# Allow loopback traffic.
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT

# Accept broadcasts from ourself.
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
IP_BCAST_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\
",$1)}
/inet addr:.*Bcast/ {match($0,/inet addr:[[:digit:]\\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
match($0,/Bcast:[[:digit:]\\.]+/)
bcast = substr($0,RSTART+6,RLENGTH-6)
printf \"%s_%s_%s\\n\",nic,ip,bcast }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
for X in $IP_BCAST_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
BCAST="`echo \"$X\" | cut -f 3 -d _`"
ipchains -A input -i $NIC -s $IP -d $BCAST -j ACCEPT
done

# Allow certain critical ICMP types
ipchains -A input -p icmp --sport 3 -j ACCEPT # Dest unreachable
ipchains -A output -p icmp --sport 3 -j ACCEPT # Dest unreachable
ipchains -A forward -p icmp --sport 3 -j ACCEPT &> /dev/null # Dest unreachable
ipchains -A input -p icmp --sport 11 -j ACCEPT # Time exceeded
ipchains -A output -p icmp --sport 11 -j ACCEPT # Time exceeded
ipchains -A forward -p icmp --sport 11 -j ACCEPT &> /dev/null # Time exceeded
ipchains -A input -p icmp --sport 12 -j ACCEPT # Parameter Proble
m
ipchains -A output -p icmp --sport 12 -j ACCEPT # Parameter Proble
m
ipchains -A forward -p icmp --sport 12 -j ACCEPT &> /dev/null # Parameter Proble
m
# Work out our local IPs.
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
NIC_IP="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",\$1)}
/inet addr:/ { match(\$0,/inet addr:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+10,RLENGTH-10) }
/Bcast/ { match(\$0,/Bcast:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+6,RLENGTH-6) }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Create the nicfilt chain
ipchains -N nicfilt
GOT_LO=0
NIC_COUNT=0
for X in $NIC_IP ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
ipchains -A nicfilt -i $NIC -j RETURN
# We also take this opportunity to see if we only have a lo interface.
if [ $NIC == "lo" ]; then
GOT_LO=1
fi
let NIC_COUNT=$NIC_COUNT+1
done
IPS="`echo \"$NIC_IP\" | cut -f 2 -d _`"
# Do we have just a lo interface?
if [ $GOT_LO -eq 1 ] && [ $NIC_COUNT -eq 1 ] ; then
MIN_MODE=1
else
MIN_MODE=0
fi
# Are there *any* interfaces?
if [ $NIC_COUNT -eq 0 ] ; then
MIN_MODE=1
fi
# If we only have a lo interface or no interfaces then we assume that DNS
# is not going to work and just skip any iptables calls that need DNS.
ipchains -A nicfilt -l -j DENY

# Create the filter chains
# Create chain to filter traffic going from 'Internet' to 'Local'
ipchains -N f0to1
# Create chain to filter traffic going from 'Local' to 'Internet'
ipchains -N f1to0
# Add rules to the filter chains

# Traffic from 'Internet' to 'Local'

# Rejected traffic from 'Internet' to 'Local'

# Traffic from 'Local' to 'Internet'
# Allow 'ftp'
# Control connection
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 21:21 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 21:21 --dport 1024:5999 -j ACCEPT
# Data connection
ipchains -A f0to1 -p tcp --sport 20:20 --dport 1024:65535 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 1024:65535 --dport 20:20 -j ACCEPT
# Data connection passive mode
ipchains -A f1to0 -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 1024:65535 --dport 1024:65535 -j ACCEPT
# Allow 'pop3'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 110:110 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 110:110 --dport 1024:5999 -j ACCEPT
# Allow 'msnmessenger'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 1863:1863 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 1863:1863 --dport 1024:5999 -j ACCEPT
# Allow 'http'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 80:80 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 80:80 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8080:8080 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 8080:8080 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8008:8008 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 8008:8008 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8000:8000 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 8000:8000 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8888:8888 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 8888:8888 --dport 1024:5999 -j ACCEPT
# Allow 'domain'
ipchains -A f1to0 -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT
ipchains -A f1to0 -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A f0to1 -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
# Allow 'aim'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 5190:5193 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 5190:5193 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p udp --sport 1024:5999 --dport 5190:5193 -j ACCEPT
# Allow 'smtp'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 25:25 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 25:25 --dport 1024:5999 -j ACCEPT
# Allow 'https'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 443:443 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 443:443 --dport 1024:5999 -j ACCEPT

# Rejected traffic from 'Local' to 'Internet'

# Place DENY and log rules at the end of our filter chains.
# Failing all the rules above, we DENY and maybe log the packet.
ipchains -A f0to1 -l -j DENY
# Failing all the rules above, we DENY and maybe log the packet.
ipchains -A f1to0 -l -j DENY

# Add some temp DNS accept rules to the input and output chains.
# This is so that we can pass domain names to ipchains and have ipchains be
# able to look it up without being blocked by the our half-complete firewall.
if [ $MIN_MODE -eq 0 ] ; then
ipchains -A output -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A input -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT
ipchains -A output -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A input -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi

# Chain to split traffic coming from zone 'Internet' by dest zone
ipchains -N s0
for X in $IPS ; do
ipchains -A s0 -d $X -j f0to1
done
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has a least something in it.
fi
ipchains -A s0 -l -j DENY

# Chain to split traffic coming from zone 'Local' by dest zone
ipchains -N s1
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has a least something in it.
fi
ipchains -A s1 -j f1to0
# Create the srcfilt chain
ipchains -N srcfilt
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has a least something in it.
fi
# Assume internet default rule
ipchains -A srcfilt -j s0

# Remove the temp DNS accept rules
if [ $MIN_MODE -eq 0 ] ; then
ipchains -D output -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -D input -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT
ipchains -D output -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -D input -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi

# The output chain is quite simple. We diverge and filter any traffic from
# the local machine and accept the rest. The rest should have come via the
# forward chain, and hence is already filtered.
ipchains -A output -j nicfilt
for X in $IPS ; do
ipchains -A output -s $X -j s1
done
ipchains -A output -j ACCEPT

ipchains -A input -j nicfilt
# Direct local bound traffic on the input chain to the srcfilt chain
for X in $IPS ; do
ipchains -A input -d $X -j srcfilt
done
ipchains -A input -j ACCEPT

# All traffic on the forward chains goes to the srcfilt chain.
ipchains -A forward -j nicfilt &> /dev/null
ipchains -A forward -j srcfilt &> /dev/null

logger -p auth.info -t guarddog Finished configuring firewall
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Finished."
fi;
if [ $FILTERSYS -eq 2 ]; then
###############################
###### iptables firewall ######
###############################
logger -p auth.info -t guarddog Configuring iptables firewall now.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Using iptables."
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Resetting firewall rules."
# Shut down all traffic
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

# Delete any existing chains
iptables -F
iptables -X

# Load any special kernel modules.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Loading kernel modules."
modprobe ip_conntrack_ftp

[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Setting kernel parameters."

Last edited by shanenin; 10-23-2003 at 09:42 PM.
 
Old 10-24-2003, 02:47 AM   #2
kilgoretrout
Senior Member
 
Registered: Oct 2003
Posts: 2,842

Rep: Reputation: 326Reputation: 326Reputation: 326Reputation: 326
It seems like there should be an option to have it autostart at boot in the program configuration. What's the path to the program? Assuming you type "guarddog" at a console to start it you can find out the path with:

# which guarddog

It's probably /usr/bin/guarddog.

The easiest way if your using kde is to make a link to guarddog in your /home/<user name>/.kde/Autostart directory like so

# ln -s /usr/bin/guarddog /home/<user name>/.kde/Autostart/guarddog

There are many other ways to do it by editing your init scripts but the above is the easiest if you use kde.
 
Old 10-24-2003, 02:48 AM   #3
spurious
Member
 
Registered: Apr 2003
Location: Vancouver, BC
Distribution: Slackware, Ubuntu
Posts: 558

Rep: Reputation: 31
You wrote: "Guarddog creates a shell script stored at /etc/rc.firewall. From what I have researched, I think I need place this script in the right place so it will exucute at boot time automatically."

As root, do:
chmod +x /etc/rc.firewall
cp /etc/rc.firewall /etc/rc.d/rc.firewall
 
Old 10-24-2003, 03:55 AM   #4
joseph
Member
 
Registered: Jun 2003
Location: Batam
Distribution: Ubuntu 10 And Linux Mint
Posts: 414

Rep: Reputation: 30
as root do :
chkconfig --level 2345 ipchains on
it will start your guarddog at boot up
 
Old 10-25-2003, 06:28 PM   #5
spurious
Member
 
Registered: Apr 2003
Location: Vancouver, BC
Distribution: Slackware, Ubuntu
Posts: 558

Rep: Reputation: 31
Slackware does not use chkconfig; that command is specific to Red Hat and Red Hat - derived distros.
 
Old 10-25-2003, 07:19 PM   #6
mechanicalg0d
Member
 
Registered: Oct 2003
Distribution: Mandrake 9.2
Posts: 30

Rep: Reputation: 15
I thought guarddog just worked with the iptables, saved its settings, and they are forever in effect.
 
Old 10-25-2003, 07:48 PM   #7
spurious
Member
 
Registered: Apr 2003
Location: Vancouver, BC
Distribution: Slackware, Ubuntu
Posts: 558

Rep: Reputation: 31
Well, the original poster wrote that guarddog creates a script at /etc/rc.firewall. In Slackware, that is the wrong location; it should be /etc/rc.d/rc.firewall if you want it to execute on boot. Slackware's default installation actually creates a /etc/rc.d/rc.firewall file, but it is empty by default. The original poster should try moving the guarddog-created rc.firewall script into /etc/rc.d and chmod +x it.

On my Slackware box, I've simply edited /etc/rc.d/rc.firewall and typed in a basic iptables script.
 
Old 10-25-2003, 11:10 PM   #8
shanenin
Member
 
Registered: Aug 2003
Location: Rochester, MN, U.S.A
Distribution: Gentoo
Posts: 987

Original Poster
Rep: Reputation: 30
spurious that is what I did. It is working good now. thanks
 
Old 10-26-2003, 03:29 AM   #9
mechanicalg0d
Member
 
Registered: Oct 2003
Distribution: Mandrake 9.2
Posts: 30

Rep: Reputation: 15
So guarddogs rules are not just started automatically? I thought they were. Im using mandrake 9.2, maybe i need to configure it to start automatically then.
 
Old 10-26-2003, 11:43 AM   #10
shanenin
Member
 
Registered: Aug 2003
Location: Rochester, MN, U.S.A
Distribution: Gentoo
Posts: 987

Original Poster
Rep: Reputation: 30
at least they were not when I installed them on slackware. I tested that by going to shields up, a web sight that tests your ports. After every reboot I had to run the program, guarddog, they press apply rules. Then i think it loaded all of the modules and iptables rules.
 
Old 10-26-2003, 03:04 PM   #11
mechanicalg0d
Member
 
Registered: Oct 2003
Distribution: Mandrake 9.2
Posts: 30

Rep: Reputation: 15
I was messing around to see, and it seems to me that the firewall rules are being started automatically. I denied access to http and rebooted. When i get back on, http is not accessible until i allow it back in my firewall. Maybe someone could explain this a bit more. I read the little manual for guarddog, not all of it but a good bit of it to at least understand what i was doing, and i dont know if it starts automatically or not.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How do I automatically start a program at start up? victordh Linux - General 7 10-27-2013 06:02 AM
Firewall that automatically changes inbound rules massysett Linux - Security 3 11-24-2005 10:31 AM
start apps automatically on start up? chunlee Linux - Newbie 3 09-04-2004 12:58 PM
how to start NIS automatically? keirobyn Linux - Networking 1 01-18-2003 08:31 AM
X won't start automatically urinal cake Linux - Newbie 5 03-08-2002 05:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 06:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration