Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Firewall Script?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Carrion
n00b
n00b


Joined: 19 Oct 2011
Posts: 12
Location: Mesa, AZ

PostPosted: Mon Oct 24, 2011 7:43 am    Post subject: Firewall Script? Reply with quote

Hi again,

I was just wondering if there's a firewall script or anything that can be used for Gentoo to prevent intruders in a public network from like a Starbuck's or other places (my own university's library is one I'm very paranoid of).

Please note: I am a paranoid person when it comes to computer security (but nothing else really).
Back to top
View user's profile Send private message
Goverp
l33t
l33t


Joined: 07 Mar 2007
Posts: 909

PostPosted: Mon Oct 24, 2011 8:28 am    Post subject: Reply with quote

If I understand correctly, UFW comes with a default configuration to do that, and looks pretty simple to open services if you need to.

That said, I installed it, and it appeared to be blocking outgoing connections as well as incoming, which was a bit too secure :oops: I obviously don't understand correctly, and not had time to sort it out.
_________________
Greybeard
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.

PostPosted: Mon Oct 24, 2011 8:33 am    Post subject: Reply with quote

There are lots of packages that help you build and maintain a firewall.
http://gpo.zugaina.org/net-firewall

A couple of those that might be good for you are 'firehol' and 'ufw'.

You might enjoy building your own, though, in iptables (which is the userspace program for directly configuring netfilter). Building your own will teach you a lot. You can google for information about iptables. You can find some gentoo specific stuff as well.
_________________
patrix_neo wrote:
The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it.
Back to top
View user's profile Send private message
Carrion
n00b
n00b


Joined: 19 Oct 2011
Posts: 12
Location: Mesa, AZ

PostPosted: Mon Oct 24, 2011 8:56 am    Post subject: Reply with quote

Thank you both for introducing me to UFW. It does seem to be quite complex but at the same time it seems to be a very strong firewall.

I was actually wondering if netfilter.org is possible to use as a firewall generator (technically iptables). I am still new to the concept of networking so I'm sorry if I seem like a clumsy oaf.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.

PostPosted: Mon Oct 24, 2011 9:25 am    Post subject: Reply with quote

Yes, that's what I meant above about iptables.

Iptables is the user interface to netfilter, which is part of the kernel. Most people just refer to using netfilter as using iptables, though.

You can enter iptables commands directly at the command prompt, or you can write a script (which is useful because it takes numerous iptables commands to properly set up a firewall). Individual iptables commands tell netfilter things like "let in traffic to port 12345" and "don't let any other traffic in".

Then, when you start up your computer, your iptables script runs and sets up netfilter for you. However, iptables can also save the set of rules that are currently running, and iptables can load a set of rules that have been previously saved. So, once you've built a set of iptables rules, you really don't need an 'iptables' script, other than to tell iptables to load the saved rules when the computer starts.

Scripts that run when you start your computer are 'init-scripts', and on Gentoo, they're found in /etc/init.d/. When you emerge iptables, such a script is installed for you, at /etc/init.d/iptables. That initscript will load whatever iptables rules have been saved. This setup kind of assumes you have built your own iptables rules, like you are talking about.

So you can go that route, and just learn a little about iptables first. It's pretty easy if you understand basic networking stuff, and if you don't, it's a good way to learn. There are numerous iptables tutorials, and there are several gentoo-related iptables tutorials and howtos. You can find these by googling.

You can probably also find a simple script that somebody else has written to provide a simple firewall for a host (as opposed to a firewall for a network, which would typically run on a router). Then, you can explore that, figure it out, tinker with it, and later modify or expand it as needed.

Most of the other firewall tools for linux, such as firehol, ufw, shorewall, and the like, simply produce a firewall script for you (one that includes all of the individual iptables commands). The basic idea of such tools is to provide a simpler interface. You fill out some kind of configuration file(s) that they think are easier to work to with than actual iptables rules. Then, their program converts the config files into a script of actual iptables commands. You run that script, and the rules are loaded.

Some of these tools will come with their own initscript for loading and saving the rules. Or, once the rules are loaded, you can just use the iptables initscript provided by Gentoo to load them when you boot up (and optionally, to save them again each time when you shut down, which is useful if your frequently make changes).

Some of these tools are simple, and some are powerful. For starters, and just for securing an individual laptop or desktop, you probably want simple.

However, even the simplest do require some level of understanding of networking and firewalls. The best way to get that is to read a bunch of tutorials about iptables and experiment with making your own simple firewall. Once you've got the basics down, you might then want to use one of these other tools.

Other people will offer various views on this and recommend their favorite tools, and my suggestions here are just one opinion. Have fun! :)
_________________
patrix_neo wrote:
The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it.
Back to top
View user's profile Send private message
mimosinnet
l33t
l33t


Joined: 10 Aug 2006
Posts: 686
Location: Barcelona, Spain

PostPosted: Mon Oct 24, 2011 2:08 pm    Post subject: Reply with quote

BoneKracker wrote:
You might enjoy building your own, though, in iptables (which is the userspace program for directly configuring netfilter). Building your own will teach you a lot. You can google for information about iptables. You can find some gentoo specific stuff as well.


I very much agree. I used shorewall for some time. The problem was, as BoneKracker points out, that I was not understanding what shorewall was doing. After moving to gentoo I found this script in the gentoo wiki. The article not only gives you the script, but also explains in detail how the script is build. I have successfully adapted this script to different machines, including laptops and servers.

Cheers!
Back to top
View user's profile Send private message
Carrion
n00b
n00b


Joined: 19 Oct 2011
Posts: 12
Location: Mesa, AZ

PostPosted: Mon Oct 24, 2011 8:20 pm    Post subject: Reply with quote

I'm reading the Gentoo-wiki article now. It is very helpful, and thank you both again.
Back to top
View user's profile Send private message
gringo
Advocate
Advocate


Joined: 27 Apr 2003
Posts: 3793

PostPosted: Tue Oct 25, 2011 10:42 am    Post subject: Reply with quote

arnos firewall script is nice too and it is available in portage as net-firewall/arno-iptables-firewall.

cheers
Back to top
View user's profile Send private message
mimosinnet
l33t
l33t


Joined: 10 Aug 2006
Posts: 686
Location: Barcelona, Spain

PostPosted: Tue Oct 25, 2011 1:53 pm    Post subject: Reply with quote

Carrion wrote:
I'm reading the Gentoo-wiki article now. It is very helpful, and thank you both again.


I have found that article very helpful in learning how to design rules, and I have moved the original article from the old wiki to this new one. Please, let me know if there is something that is not clear or could be improved.

Cheers!
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.

PostPosted: Tue Oct 25, 2011 11:52 pm    Post subject: Reply with quote

It's good to start with a simple script that is understandable.
_________________
patrix_neo wrote:
The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it.
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Wed Oct 26, 2011 3:17 am    Post subject: Reply with quote

BoneKracker wrote:
It's good to start with a simple script that is understandable.


++

Something as simple as this is more than enough to build on

Code:

#!/bin/bash
echo Starting.....
echo flush\ all\ chains
iptables -F

# set the default policy for each of the pre-defined chains
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# uncomment these two to allow ping
# iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

# allow establishment of connections initialised by my outgoing packets
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow local
iptables -A INPUT -i lo -j ACCEPT

# only these are open to the world. Uncomment and duplicate to add allowed inbound ports
#iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

# Drop everything not explicitly allowed above
iptables -A INPUT -i eth0 -j DROP
echo Finished...


that's what, 6, 7 meaningful lines of stuff?
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Goverp
l33t
l33t


Joined: 07 Mar 2007
Posts: 909

PostPosted: Sat Nov 26, 2011 12:26 pm    Post subject: Reply with quote

To wake an earlier part of this thread:
Goverp wrote:
... UFW comes with a default configuration ...
That said, I installed it, and it appeared to be blocking outgoing connections as well as incoming, which was a bit too secure :oops: ...

I've sorted out what was wrong. Not surprisingly, UFW requires several kernel netfilter modules.

The kernel configuration flag NETFILTER_XT_MATCH_ADDRTYPE changed at version 2.6.39. The UFW ebuild checked the required flags when I installed it against 2.6.38 or thereabouts, but moving to kernel 3 broke it silently. Reinstalling UFW generated the appropriate setup error, and now I've fixed the kernel config, UFW works as expected. I'm using the default rule set, allow outbound, deny inbound. Job done.
_________________
Greybeard
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum