perry |
08-13-2007 11:50 AM |
I was using Arno's IPTABLES Firewall Script
ARNO's IPTABLES Firewal
Up to version 10.0 of Slackware but since have not bothered with any firewall at all. Would like to know the latest & greatest, great thread! For those who would like to give it a try here's some info on how to set it up. Doesn't seem to work out of the box like it did before. So maybe I'll give it another try or try something else.
Code:
CHAPTER 7
------------------------------------------------------------------------------
Using iptables
iptables is IP packet filter administration. A lot of people use
iptables as a firewall. A firewall protects a computer from intruders,
theoretically. A firewall is as secure as the configuration.
In this manual, you will install iptables if necessary, disable any
firewall front-ends, install Arno's iptables script, install Arno's
iptables service, log iptables messages, view the log, log incoming
traffic, check iptables status, and troubleshoot unresolved symbol boot
errors.
Before moving forward, check that iptables is installed:
which iptables
/usr/sbin/iptables
If it is installed, skip to Installing Arno's iptables Script.
Installing iptables
The best way would be to install iptables using your distro's package
manager to minimize any dependency issues. Compiling and installing
would be the last option. You need to know where your kernel source
resides.
1. Download iptables-1.2.11.tar.bz2 to your home directory
2. Open a terminal or console, switch user to root, decompress the
iptables download, change directory to the install directory, locate the
kernel source, install iptables, remove the install directory, and exit
root:
su
tar xjf iptables-1.2.11.tar.bz2
cd iptables-1.2.11
uname -r && ls /usr/src
make KERNEL_DIR=/usr/src/linux-2.4.26
make install KERNEL_DIR=/usr/src/linux-2.4.26
cd .. && rm -fr iptables-1.2.11
exit
After iptables install, you may have to recompile the kernel and include
iptables support. In Networking options > IP: Netfilter Configuration >
set all as modules, and exclude ipchains and ipfwadm. Arno's rc.iptables
init script will load the required modules at boot.
Disabling Firewall Front-ends
If you are running any firewall front-end, you have to disable it before
switching to Arno's iptables script. For Guarddog in Mandrake and MEPIS,
click main menu > System > Security > Guarddog > enter root password >
Advanced tab > check "Disable firewall", [OK], [Continue] and [OK].
Their rule set should be removed immediately. For other firewall front-
ends, find out how to disable them in their documentation.
Installing Arno's iptables Script
The script, by Arno van Amersfoort, loads iptables modules and sets up a
firewall rule set for you without your reading cryptic, cross-
referenced, full-of-jargon documentation.
You should ALWAYS start and stop rc.iptables or init scripts, in
general, as root. In fact, you wouldn't have to if you finished this
part and the next, since it would automatically start at boot. Remember
your security is only as secure as the weakest link: i.e. users with too
much power.
1. Download arno-iptables-firewall.tgz to your home directory
2. Open a terminal or console, switch user to root, decompress the
archive, change directory to install directory replacing the directory
name, restrict all files to non-root users, and make fwfilter and
rc.iptables executable for root:
su
tar zxvf arno-iptables-firewall.tgz
cd arno-iptables-firewall-x.x.x
chmod go-rwx *
chown root:root *
chmod u+x fwfilter rc.iptables
3. Move the rc.iptables init script to the auto-start directory of your
distro
For Arch, Core, Crux, Slackware, Vector and Yoper:
mv rc.iptables /etc/rc.d
For DaNix, Debian, Gentoo, Kanotix, Knoppix, MEPIS, PCLinuxOS and
others:
mv rc.iptables /etc/init.d
4. Run ifconfig to get the eth0 (first Ethernet or network device) inet
addr and lo (local loopback) inet addr numbers:
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0B:6D:24:31:69
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1024 (1024.0 b) TX bytes:854 (854.0 b)
Interrupt:11 Base address:0x1000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
5. Find the path to iptables executable:
which iptables
/usr/sbin/iptables
6. Edit iptables-firewall.conf as follows if you're behind a router on
DSL modem or you're on a cable modem. EXT_IF_DHCP_IP is dynamic IP. Make
it 0 if it's a static IP. If it is dynamic IP, you can comment out the
MODEM_IF_IP and MODEM_IP options. MODEM_IF_IP is your local loopback.
MODEM_IP is your NIC or modem. Read README file if you're on dial-up
For Arch, Core, Crux, Slackware, Vector and Yoper:
vi iptables-firewall.conf
IPTABLES="/usr/sbin/iptables"
EXT_IF="eth0"
EXT_IF_DHCP_IP=1
#MODEM_IF="eth0"
MODEM_IF_IP="127.0.0.1"
MODEM_IP="192.168.1.100"
FIREWALL_LOG=/var/log/firewall
For DaNix, Debian, Gentoo, Kanotix, Knoppix, MEPIS, PCLinuxOS and
others:
vi iptables-firewall.conf
IPTABLES="/sbin/iptables"
EXT_IF="eth0"
EXT_IF_DHCP_IP=1
#MODEM_IF="eth0"
MODEM_IF_IP="127.0.0.1"
MODEM_IP="192.168.1.100"
FIREWALL_LOG=/var/log/firewall
7. Move the configuration file to /etc, and firewall filter program to /
usr/local/bin, and remove the install directory replacing the directory
name:
mv iptables-firewall.conf /etc
mv fwfilter /usr/local/bin
cd .. && rm -fr arno-iptables-firewall-x.x.x
8. Start the script
For Arch, Core, Crux, Slackware, Vector and Yoper:
/etc/rc.d/rc.iptables start
For DaNix, Debian, Gentoo, Kanotix, Knoppix, MEPIS, PCLinuxOS and
others:
/etc/init.d/rc.iptables start
If all goes well, read on. If not, close the terminal and return to step
2.
Installing Arno's iptables Service
Computers are meant to automate processes. You don't have to type that
line to start the script again. It would be best to start iptables
BEFORE activating network. Whenever possible, let the system start
rc.iptables at boot and stop the service at reboot or shut-down.
9. Add the service, or edit the system init script
For Arch, add rc.iptables to DAEMONS parameter in rc.conf:
nano /etc/rc.conf
DAEMONS=(syslogd klogd network crond rc.iptables)
For Core, copy and paste this snippet at the end of system init script:
nano /etc/rc.d/rc.si
# Starting iptables firewall
if [ -x /etc/rc.d/rc.iptables ]; then
/etc/rc.d/rc.iptables start
fi
For Crux, add rc.iptables to SERVICES parameter in rc:
vi /etc/rc
SERVICES=(net crond rc.iptables kdm)
For DaNix, Debian, Kanotix, Knoppix and MEPIS, add symlinks to
runlevels:
update-rc.d rc.iptables defaults 18
For Gentoo, add the init script to runlevels:
rc-update add rc.iptables default
If that doesn't start rc.iptables at boot, put this line in local.start
to start rc.iptables at boot:
nano -w /etc/conf.d/local.start
/etc/init.d/rc.iptables start 1>&2
And put this line in local.stop to stop rc.iptables at reboot or shut-
down:
nano -w /etc/conf.d/local.stop
/etc/init.d/rc.iptables stop 1>&2
For PCLinuxOS, add the service to auto-start:
chkconfig --add rc.iptables
For Slackware and Vector, insert the start snippet before rc.inet1 in
rc.M:
vi /etc/rc.d/rc.M
# Starting iptables firewall
if [ -x /etc/rc.d/rc.iptables ]; then
/etc/rc.d/rc.iptables start
fi
# Initialize the networking hardware...
if [ -x /etc/rc.d/rc.inet1 ]; then
. /etc/rc.d/rc.inet1
fi
And insert the stop snippet before rc.pcmcia in rc.6:
vi /etc/rc.d/rc.6
# Stopping iptables firewall
if [ -x /etc/rc.d/rc.iptables ]; then
/etc/rc.d/rc.iptables stop
fi
# Shut down PCMCIA devices:
if [ -x /etc/rc.d/rc.pcmcia ] ; then
. /etc/rc.d/rc.pcmcia stop
sleep 5
fi
For Yoper, copy and paste this snippet at the end of init script:
vi /etc/rc.d/init.d/rc
# Starting iptables firewall
if [ -x /etc/rc.d/rc.iptables ]; then
/etc/rc.d/rc.iptables start
fi
For other distros, copy and paste this snippet at the end of init
script:
vi /etc/init.d/rc.init
# Starting iptables firewall
if [ -x /etc/init.d/rc.iptables ]; then
/etc/init.d/rc.iptables start
fi
10. Exit root:
exit
You should reboot Linux to make sure that rc.iptables is working.
Logging iptables Messages
Logging is optional. syslogd can output the logs to /var/log/firewall.
Switch user to root, create /var/log/firewall for only root, add the
bold line to the end of syslog.conf file, making sure the spaces are
tabs between debug and /var, and that /var lines up with the other
column:
su
touch /var/log/firewall
chmod go-rwx /var/log/firewall
vi /etc/syslog.conf
kern.=debug /var/log/firewall
Restart system logging daemon, and exit root:
killall -HUP syslogd
exit
Viewing Firewall Log
There is no point in logging iptables messages if the log isn't viewed
regularly. In Arno's download is a fwfilter script that filters firewall
logs for easy viewing. The usage is mentioned in the same script. Let's
see the log:
su
cat /var/log/firewall | fwfilter
Jan 1 0:00:00 ** Starting Arno's IPTABLES firewall v1.8.3-BETA3 **
Jan 1 0:00:00 ** All firewall rules applied **
Jan 1 0:00:00 ** Stopping IPTABLES firewall **
How about a real-time output?
tail -f /var/log/firewall | fwfilter
Press CTRL C to quit. If fwfilter can't be found, the environment path
must be missing /usr/local/bin/. Add it to /etc/profile and reload
profile if need be. After viewing the firewall log, exit root:
exit
Logging Incoming Traffic
Technically, your iptables install has been over. So? Yeah, what the
hell. Mount up. There is a number of firewall loggers out there. IP
Packet Logger is a tiny daemon that logs incoming IP packets.
1. Download ippl-1.4.14.tar.gz to home directory
2. Open a terminal or console, and install ippl:
tar zxvf ippl-1.4.14.tar.gz
cd ippl-1.4.14
su
./configure --sysconfdir=/etc && make && make install
cd .. && rm -fr ippl-1.4.14
3. Make ippl root only and edit the ippl.conf file:
chmod 0700 /usr/local/sbin/ippl
vi /etc/ippl.conf
runas nobody
expire 3600
log-in all /var/log/ippllog
run icmp tcp udp
4. Write the init script:
vi ippl
#!/bin/sh
#
# ippl: start/stop ippl daemon
#
case $1 in
start)
echo "Starting $0:"
/usr/local/sbin/ippl
;;
stop)
echo "Stopping $0:"
killall --SIGTERM /usr/local/sbin/ippl
;;
restart)
$0 stop
sleep 2
$0 start
;;
*)
echo "usage: $0 [start|stop|restart]"
;;
esac
# End of file
Make ippl executable for only root:
chmod 0700 ippl
For Arch, Core, Crux, Slackware, Vector and Yoper, move ippl to /etc/
rc.d:
mv ippl /etc/rc.d
For DaNix, Debian, Gentoo, Kanotix, Knoppix, MEPIS, PCLinuxOS and
others, move ippl to /etc/init.d:
mv ippl /etc/init.d
5. Add the service, or edit the system init script
For Arch, add rc.iptables to DAEMONS parameter in rc.conf:
nano /etc/rc.conf
DAEMONS=(syslogd klogd network crond rc.iptables ippl)
For Core, copy and paste this snippet at the end of init script:
nano /etc/rc.d/rc.si
# Starting ippl
if [ -x /etc/rc.d/ippl ]; then
/etc/rc.d/ippl start
fi
For Crux, add rc.iptables to SERVICES parameter:
vi /etc/rc
SERVICES=(net crond rc.iptables ippl kdm)
For DaNix, Debian, Kanotix, Knoppix and MEPIS, add symlinks to
runlevels:
update-rc.d ippl defaults 19
For Gentoo, add the init script to runlevels:
rc-update add ippl default
For PCLinuxOS, add the service to auto-start:
chkconfig --add ippl
For Slackware and Vector, insert the start snippet after rc.iptables in
rc.M:
vi /etc/rc.d/rc.M
# Starting iptables firewall
if [ -x /etc/rc.d/rc.iptables ]; then
/etc/rc.d/rc.iptables start
fi
# Starting ippl
if [ -x /etc/rc.d/ippl ]; then
/etc/rc.d/ippl start
fi
And insert the stop snippet before rc.iptables in rc.6:
vi /etc/rc.d/rc.6
# Stopping ippl
if [ -x /etc/rc.d/ippl ]; then
/etc/rc.d/ippl stop
fi
# Stopping iptables firewall
if [ -x /etc/rc.d/rc.iptables ]; then
/etc/rc.d/rc.iptables stop
fi
For Yoper, copy and paste this snippet at the end of init script:
vi /etc/rc.d/init.d/rc
# Starting ippl
if [ -x /etc/rc.d/ippl ]; then
/etc/rc.d/ippl start
fi
For other distros, copy and paste this snippet at the end of init
script:
vi /etc/init.d/rc.init
# Starting ippl
if [ -x /etc/init.d/ippl ]; then
/etc/init.d/ippl start
fi
6. Start ippl:
/etc/rc.d/ippl start
Or
/etc/init.d/ippl start
It is a good idea to frequently check the traffic log:
tail /var/log/ippllog
7. After installing ippl, exit root:
exit
IP Packet Logger is running in the background. You don't have to reboot
the computer after installing and running ippl. That's the beauty of
Linux.
Checking iptables Status
You can check that the iptables rule set is applied. Switch user to
root:
su
List everything set by Arno's script:
/etc/rc.d/rc.iptables status
Or list all chains as an exact numeric verbose output:
iptables -xnvL
Exit root:
exit
Troubleshooting: Unresolved symbols
If the distro boots up or you enter "depmod -a", and one or more of this
iptables-related line sweeps across the screen:
depmod: *** Unresolved symbols in
/lib/modules/2.x.xx/kernel/net/ipv4/netfilter/ip_tables.o
It is possible that you just compiled a new kernel without cleaning the
source tree thoroughly. You can try this:
su
cd /usr/src/linux
mv .config ..
make mrproper
mv ../.config .
Replace linux directory with the right one if necessary. Then you can
config your kernel, check that all iptables modules are included,
compile kernel, write LInux LOader and reboot the computer.
iptables
http://www.iptables.org/downloads.html
Arno's iptables Script
http://freshmeat.net/projects/iptables-firewall/?topic_id=151
ippl Logger
http://pltplp.net/ippl/
----------------------------------------------------------------------------
Copyright (C) 2002-2004 by jet_blackz@lycos.com
Here's another commentary on it's usage: iptables
One thing I have noticed however, is that if you have a modern day router that offers things like port forwarding and trusted hosts, isn't that enough? Rather than having to replicate alot of that functionality on your linux box. As I never seem to have any viruses or intrusions on my machine.
Just a little, fyi.
- Perry
|