| View previous topic :: View next topic |
| Author |
Message |
incubator
Guru
Joined: 05 Jun 2003
Posts: 584
Location: Belgium
|
|
| Back to top |
|
 |
akvalentine
n00b
Joined: 27 Jun 2002
Posts: 42
|
 Posted: Wed Oct 08, 2003 9:05 pm Post subject: |
 |
|
Personally, reading and writing firewall rules gives me a headache.
Try merging net-misc/monmotha.
Edit /etc/monmotha/monmotha to your preference.
It's all setup as variables, so you don't even have to look at the code if you don't want. Don't forget to change ENABLE="N" to ENABLE="Y" once you've mondified it.
Then just run:
| Code: | | /etc/init.d/monmotha start |
To start it at reboot, run:
| Code: | | rc-update add monmotha default |
|
|
| Back to top |
|
|
Garbz
Apprentice
Joined: 02 Jul 2003
Posts: 260
Location: Brisbane, Australia
|
| Posted: Wed Oct 08, 2003 9:53 pm Post subject: |
|
|
i've written many a small firewalls in my time, and while i don't claim to be a security expert it's never been compomised. (doesn't mean much i'm not much of a target  : )
I've always found iptables rather easy and basically if u want to run a webserver start simple, and once a simple firewall is sorted out build upon it.
By simple i mean:
allow data for port 80
set default policy for INPUT to drop
once that is working you can start on spoof protection, dropping fragments, etc, and eventually work ur way up to a beefy firewall. I know that i've made 4 major changes to my firewall which has taken nearly a week to update, and probably hundreads of other minor changes to the ruleset depending on what exactly i'm using my server for.
_________________
Every begining is another begining's end. |
|
| Back to top |
|
|
incubator
Guru
Joined: 05 Jun 2003
Posts: 584
Location: Belgium
|
| Posted: Wed Oct 08, 2003 10:15 pm Post subject: |
|
|
| this monmotha, is it like firestarter? |
|
| Back to top |
|
|
akvalentine
n00b
Joined: 27 Jun 2002
Posts: 42
|
| Posted: Thu Oct 09, 2003 3:37 am Post subject: |
|
|
| Quote: | | this monmotha, is it like firestarter? |
Never used firestarter, so I don't know. Monmotha is just a bash shell script that sets up an iptables firewall based on the values of variables that you set inside the script.
I like it because it allows me to setup a robust firewall without having to know iptables. For whatever reason, I've neven been able to wrap my head around firewall rules. . .
Because it's just a bash shell script, feel free to merge it and play. You can always unmerge it with no adverse effects at all. |
|
| Back to top |
|
|
incubator
Guru
Joined: 05 Jun 2003
Posts: 584
Location: Belgium
|
| Posted: Thu Oct 09, 2003 4:29 pm Post subject: |
|
|
aha 
thats even better then |
|
| Back to top |
|
|
jaska
Bodhisattva
Joined: 06 Jun 2003
Posts: 725
Location: Finland
|
| Posted: Thu Oct 09, 2003 6:29 pm Post subject: |
|
|
| Now that I think about it, I have wasted a lot of time learning iptables by hand without these nice tools... Oh well can't change that anymore. |
|
| Back to top |
|
|
M104
Tux's lil' helper
Joined: 13 Jan 2003
Posts: 132
Location: Riverside, CA
|
| Posted: Thu Oct 09, 2003 11:46 pm Post subject: |
|
|
Monmotha has been a real help to me! I got tired of adding, modifying and then testing every single rule so I swiched to monmotha. I really like the way you can easily modify many different behaviors just by changing the config file and restarting the script. It never hurts to learn iptables rules, though.
_________________
"Pulling together is the aim of despotism and tyranny. Free men pull in all kinds of directions."
Terry Pratchett, The Truth |
|
| Back to top |
|
|
Garbz
Apprentice
Joined: 02 Jul 2003
Posts: 260
Location: Brisbane, Australia
|
| Posted: Fri Oct 10, 2003 2:08 am Post subject: |
|
|
as long as it's secure and it works i guess it doesn't matter how u impliment the firewall in the end 
_________________
Every begining is another begining's end. |
|
| Back to top |
|
|
askewview
n00b
Joined: 10 Jul 2003
Posts: 5
|
| Posted: Fri Oct 10, 2003 2:53 am Post subject: |
|
|
Heres a little script I wrote for my box. It has only 1 nic which is hooked to the internet. This script allows FTP SSH SMTP WEB POP3 IMAP
| Code: |
#! /bin/sh
# init.d/chronicfw
#
# description: System startup script for chronic's local packet filters
#
# last modified 22 May 2003 arb
#
IPTABLES=/sbin/iptables
test -x $IPTABLES || exit 5
case "$1" in
start)
echo "Loading chronic's Packet Filters "
# Load kernel modules first
modprobe ip_tables
modprobe ip_conntrack_ftp
# Set default-deny policies for all thee default chains
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# Flush old rules, old custom tables
$IPTABLES --flush
$IPTABLES --delete-chain
# Give free reign to loopback interfaces
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Do some anti IP spoofing drops
$IPTABLES -A INPUT -s 255.0.0.0/8 -j LOG --log-level info --log-prefix "Spoofed source IP!!"
$IPTABLES -A INPUT -s 255.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 0.0.0.0/8 -j LOG --log-level info --log-prefix "Spoofed source IP!"
$IPTABLES -A INPUT -s 0.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 127.0.0.0/8 -j LOG --log-level info --log-prefix "Spoofed source IP!"
$IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/12 -j LOG --log-level info --log-prefix "Spoofed source IP!"
$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
# Tell netfilter that all TCP sessions do indeed begin with SYN
#$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-level info --log-prefix "Stealth scan attempt?"
#$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Individual IP blocks
$IPTABLES -A INPUT -s 80.13.12.73 -j DROP
# INBOUND POLICY
# Accept inbound packets that are part of a previously-OK'ed session
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
# Accept inbound packets which initiate FTP Sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 20 -m state --state NEW
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW
# Accept inbound packets which initiate SSH Sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 22 -m state --state NEW
# Accept inbound packets which initiate SMTP Sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 25 -m state --state NEW
# Accept inbound packets which initiate DNS Sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 53 -m state --state NEW
$IPTABLES -A INPUT -p udp -j ACCEPT --dport 53 -m state --state NEW
$IPTABLES -A INPUT -p tcp -j ACCEPT --sport 53 -m state --state NEW
$IPTABLES -A INPUT -p udp -j ACCEPT --sport 53 -m state --state NEW
# Accept inbound packets which initiate HTTP Sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW
# Accept inbound packets which initiate POP3 Sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 110 -m state --state NEW
# Accept inbound packets which initiate IMAP Sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 143 -m state --state NEW
# Accept inbound ping requests
$IPTABLES -A INPUT -p icmp -j ACCEPT --icmp-type echo-request
# Drop incomming dhcp broadcasts without logging
$IPTABLES -A INPUT -p udp -j DROP --sport 67
# Log anything not accepted above
$IPTABLES -A INPUT -j LOG --log-level info --log-prefix "Dropped by default:"
# OUTBOUND POLICY
# If it's part of an approved connection, let it out
$IPTABLES -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow outbound ping
$IPTABLES -A OUTPUT -p icmp -j ACCEPT --icmp-type echo-request
# Allow outbound FTP
$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
# Allow outbound SSH
$IPTABLES -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# Allow outbound SMTP
$IPTABLES -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
# Allow outbound WHOIS
$IPTABLES -A OUTPUT -p tcp --dport 43 -m state --state NEW -j ACCEPT
# Allow outbound DNS queries
$IPTABLES -A OUTPUT -p TCP --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# Allow outbound HTTP
$IPTABLES -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 80 -m state --state NEW -j ACCEPT
# Allow outbound POP3
$IPTABLES -A OUTPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT
# Allow outpound IMAP
$IPTABLES -A OUTPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT
# Allow outbound IRC
$IPTABLES -A OUTPUT -p tcp --dport 6666 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 6667 -m state --state NEW -j ACCEPT
# Log anything not accepted above
$IPTABLES -A OUTPUT -j LOG --log-level info --log-prefix "Dropped by default OUT:"
;;
wide_open)
echo "DANGER!! Unloading chronic's Packet Filters!!"
# Unload filters and reset default polocies to ACCEPT.
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES --flush
;;
stop)
echo "Portcullis rope CUT..."
# Unload all fw rules, leaving the default-drop policies
$IPTABLES --flush
;;
status) echo "Querying iptables status (via iptables --list)..."
$IPTABLES --line-numbers -v --list
;;
*)
echo "Usage: $0 {start|stop|wide_open|status}"
exit 1
;;
esac
|
|
|
| Back to top |
|
|
incubator
Guru
Joined: 05 Jun 2003
Posts: 584
Location: Belgium
|
| Posted: Sat Oct 11, 2003 6:14 pm Post subject: |
|
|
for some reason whenever I start monmotha I keep getting 2 red "!" 's.
Here's my standard config (and I honestly dont know much of these params):
| Code: |
IPTABLES="/usr/sbin/iptables" # set to your iptables location, must be set
TCP_ALLOW="22 80" # TCP ports to allow (port<LOCIP)
UDP_ALLOW="68 6112 6119 4000" # UDP ports to allow (port<LOCIP)
INET_IFACE="eth1" # the interface your internet's on (one only), must be set
LAN_IFACE="eth0" # the interface(s) your LAN is on
INTERNAL_LAN="" # The internal LAN (including DMZs but not censored hosts)
MASQ_LAN="192.168.0.0/24 192.168.1.0/24" # the internal network(s) to be masqueraded (this is overridden by MAC_MASQ)
SNAT_LAN="" # Internal networks/hosts to use static NAT (format is <internal ip or network>:<external ip>) (this is ove$
DROP="TREJECT" # What to do with packets we don't want: DROP, REJECT, TREJECT (Reject with tcp-reset for TCP), LDROP (log $
DENY_ALL="" # Internet hosts to explicitly deny from accessing your system at all; format is "IP<LOCIP"
DENY_HOSTWISE_TCP="" # Specific hosts to deny access to specific TCP ports; format is "IP>PORT<LOCIP"
DENY_HOSTWISE_UDP="" # Specific hosts to deny access to specific UDP ports; format is "IP>PORT<LOCIP"
BLACKHOLE="" # People you don't want to have anything to do with (equivlent of my old TK_DROP). This is a bidirectional$
BLACKHOLE_DROP="DROP" # What to do for the blackholes (same options as DROP directive above)
ALLOW_HOSTWISE_TCP="" # Specific hosts allowed access to specific TCP ports; format is "IP>PORT<LOCIP"
ALLOW_HOSTWISE_UDP="" # Specific hosts allowed access to specific UDP ports; format is "IP>PORT<LOCIP"
TCP_FW="" # TCP port forwards, form is "SPORT:DPORT>DESTIP<LOCIP" <LOCIP may be omitted
UDP_FW="" # UDP port forwards, form is "SPORT:DPORT>DESTIP<LOCIP" <LOCIP may be omitted
MANGLE_TOS_OPTIMIZE="FALSE" # TOS "optimizations" on or off (TRUE/FALSE toggle)
DHCP_SERVER="FALSE" # Set to true if you run a DHCP server. DHCP clients do not need this. This allows broadcasts to the server$
BAD_ICMP="5 9 10 15 16 17 18" # ICMP messages to NOT allow in from internet
ENABLE="Y" # Set to 'Y' when it's configured; this is for your own safety
# Flood Params. You will still recieve the packets and the bandwidth will be used, but this will cause floods to be ignored (useful against SYNFLOODS espe$
LOG_FLOOD="2/s" # Limit on logging (for LTREJECT, LREJECT and LDROP, the packet will always take the policy regardless of l$
SYN_FLOOD="20/s" # GLOBAL limit on SYN packets (servers will probably need even higher sustained rates as this isn't on a pe$
PING_FLOOD="1/s" # GLOBAL limit on ICMP echo-requests to reply to
# Outbound filters
ALLOW_OUT_TCP="" # Internal hosts allowed to be forwarded out on TCP (do not put this/these host/s in INTERNAL_LAN, but do d$
PROXY="" # Redirect for Squid or other TRANSPARENT proxy. Syntax to specify the proxy is "host:port".
# Below here is experimental (please report your successes/failures)
MAC_MASQ="" # MAC addresses permitted to use masquerading, leave blank to not use
MAC_SNAT="" # MAC addresses permitted to use static NAT, leave blank to not use (format is <MAC Address>:<external ip>)
TTL_SAFE="" # How many hops packets need to make once they get on your LAN (null disables the mangling) (requires patch$
USE_SYNCOOKIES="FALSE" # TCP SynCookies on or off (TRUE/FALSE toggle)
RP_FILTER="TRUE" # Turns rp_filter on or off on all interfaces (TRUE/FALSE toggle)
ACCEPT_SOURCE_ROUTE="FALSE" # Turns accept_source_route on or off on all interfaces (TRUE/FALSE toggle)
SUPER_EXEMPT="" # Hosts which get to bypass the packet filter entirely (be REALLY careful with these)
BRAINDEAD_ISP="FALSE" # Force no fragments, useful if your ISP has a broken firewall or if you are on a tunneled connection (like$
ALLOW_HOSTWISE_PROTO="" # Specific hosts allowed access on specific IP protocols; format is "IP>PROTO<LOCIP"
|
I wonder if thse lan things need to be filled in.
All i using is a regular adsl usb modem (3mbps) and all I want to do is http web server.
is htere anything else I overlooked that is wrong? |
|
| Back to top |
|
|
incubator
Guru
Joined: 05 Jun 2003
Posts: 584
Location: Belgium
|
| Posted: Sat Oct 11, 2003 6:18 pm Post subject: |
|
|
it sems the path to iptables was wrong but now its even worse :S
| Code: |
Loading iptables firewall:
Checking configuration...modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
IPTABLES can't create new chains or the script was interrupted previously!
Flush IPTABLES rulesets or delete chain SYSTEST and try again.
|
|
|
| Back to top |
|
|
askewview
n00b
Joined: 10 Jul 2003
Posts: 5
|
| Posted: Sun Oct 12, 2003 12:21 am Post subject: |
|
|
| sonds like netfilter isnt compiled into your kernel |
|
| Back to top |
|
|
Garbz
Apprentice
Joined: 02 Jul 2003
Posts: 260
Location: Brisbane, Australia
|
| Posted: Sun Oct 12, 2003 9:54 am Post subject: |
|
|
or if it is compiled statically then the firewall script doesn't recognise the fact.
check ur config and from the looks of things it wants it as modules (but statically complied options shoudln't make much of a difference
_________________
Every begining is another begining's end. |
|
| Back to top |
|
|
incubator
Guru
Joined: 05 Jun 2003
Posts: 584
Location: Belgium
|
| Posted: Sun Oct 12, 2003 1:37 pm Post subject: |
|
|
| fixed it, indeed , netfilter wasnt compiled at all |
|
| Back to top |
|
|
|
Networking & Security
