Results 1 to 10 of 10

Thread: A Simple Firewall

  1. #1
    Member
    Join Date
    Jun 2008
    Posts
    101

    Default A Simple Firewall

    Recently while reading some post about Nmap, I found out that BT3 had no firewall by default; at least not running at the start-up scripts. So I started digging into the topic and came out with a good knowledge on Firewalls and Shell Scripting as well. I encourage those new to linux as myself to really understand what's below and not just copy and run the code. A bit of reading on iptables will come in handy...

    Credits to pureh@te Fischer's firewall and the one included in BT3 rc.FireWall. After placing the firewall, a port scan with Nmap -T Aggressive will be unusually slow and ports will show up as filtered and not closed!

    Code:
    #!/bin/sh
    
    # Variables
    
    IPTABLES=/usr/sbin/iptables
    
    WAN_IFACE="ath0 eth0"
    
    if [ "$1" = "start" ]; then
    echo "Starting Firewall"
    
    # Flush Current Rules
    $IPTABLES -F
    $IPTABLES -X      # delete all user-defined chains
    
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies # DoS Protection
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable responding to ping broadcasts
    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # disable spoofing on all interfaces
    
    
    # Set Default Rules for Chains
    
    $IPTABLES -P INPUT DROP  # Drop every packet from the outside
    $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT  # Allow requested INPUTS
    
    # Accept local requests
    $IPTABLES -P OUTPUT ACCEPT
    
    # Drop since NAT protocol is not required 
    $IPTABLES -P FORWARD DROP
    
    # Section to open desired ports
    
    # Open Ports for SSH and HTTP
    #$IPTABLES -A INPUT -i $WAN_IFACE -p TCP --destination-port 22 -j ACCEPT
    
    #$IPTABLES -A INPUT -i $WAN_IFACE -p TCP --destination-port 80 -j ACCEPT
    
    elif [ "$1" = "stop" ]; then
    	echo "Firewall Halted"
    	$IPTABLES -F 
    	$IPTABLES -X
    	$IPTABLES -P INPUT ACCEPT
    	$IPTABLES -P FORWARD ACCEPT
    
    elif [ "$1" = "status" ]; then
    	$IPTABLES -L -v
    
    else
    	echo "usage: $0 start|stop|status"
    fi
    To start the script at startup place it in /etc/rc.d and name it. In this case it will be rc.firewall.

    bt~ # chmod 775 rc.firewall
    bt~ # chmod 775 rc.local
    bt~ # kwrite rc.local

    Code:
    #!/bin/bash
    echo "Initializing rc.local..."
    #Fuse
    # To disable Fuse, chmod rc.fuse to 644
    #if [ -x /etc/rc.d/rc.fuse ]; then
    #	sh /etc/rc.d/rc.fuse start
    #fi
    
    #Firewall
    if [ -x /etc/rc.d/rc.firewall ]; then
    	sh /etc/rc.d/rc.firewall start
    fi
    Here I used rc.local to load rc.firewall by making both of them executable. Note that I commented out rc.fuse. Any comments will be welcome and also be aware that BT3 has a firewall but is not set to run at start up.

  2. #2
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    I used this on my new eeepc rebuild and ran a few scans on it and it seems to be fairly effective.I give it a thumbs up

  3. #3
    Member
    Join Date
    Jun 2008
    Posts
    101

    Default

    Quote Originally Posted by pureh@te View Post
    I used this on my new eeepc rebuild and ran a few scans on it and it seems to be fairly effective.I give it a thumbs up
    Nice, btw the script is missing this line which allows everything coming from the localhost interface:

    Code:
    $IPTABLES -A INPUT -i lo -j ACCEPT

  4. #4
    Just burned their ISO alienstargate's Avatar
    Join Date
    Mar 2010
    Posts
    16

    Default

    hmm i've made this script for the firewall...

    rc.firewall


    # usage: rc.firewall start|stop|status
    #
    # Simple firewall disallowing all incomming connections
    # but allowing all traffic on localhost (lo device)
    # and allowing all outgoing traffic for $ALLOWED_PORTS

    Code:
    #!/bin/bash
    #
    # enter ports with spaces between eg: "21 80 443"
    ALLOWED_TCP_PORTS=""
    ALLOWED_UDP_PORTS=""
    
    #-----------------------------------------------------------
    
    
    # Avoid using root's TMPDIR
    unset TMPDIR
    
    # Source networking configuration.
    # /etc/sysconfig/network
    
    
    # Start the firewall
    
    test -x /usr/sbin/iptables || {
    	echo "Iptables not properly installed"
    	exit 1
    	}
    
    start() {
            KIND="Iptables"
    	echo -n $"Starting $KIND services: "
     	SYSCTLW="/sbin/sysctl -q -w"
       	IPTABLES="/usr/sbin/iptables" 
    
       # Disable routing triangulation. Respond to queries out
       # the same interface, not another. Helps to maintain state
       # Also protects against IP spoofing
    
       $SYSCTLW net.ipv4.conf.all.rp_filter=1
    
       # Enable logging of packets with malformed IP addresses,
       # Disable redirects,
       # Disable source routed packets,
       # Disable acceptance of ICMP redirects,
       # Turn on protection from Denial of Service (DOS) attacks,
       # Disable responding to ping broadcasts,
       # Enable IP routing. Required if your firewall is protecting a network, NAT included
    
       $SYSCTLW net.ipv4.conf.all.log_martians=1
       $SYSCTLW net.ipv4.conf.all.send_redirects=0
       $SYSCTLW net.ipv4.conf.all.accept_source_route=0
       $SYSCTLW net.ipv4.conf.all.accept_redirects=0
       $SYSCTLW net.ipv4.tcp_syncookies=1
       $SYSCTLW net.ipv4.icmp_echo_ignore_broadcasts=1
       # $SYSCTLW net.ipv4.ip_forward=1
    
       # Firewall initialization, remove everything, start with clean tables
    
       $IPTABLES -F      		# remove all rules
       $IPTABLES -X      		# delete all user-defined chains
       $IPTABLES -P OUTPUT ACCEPT	# allow all outgoing packets
       $IPTABLES -P FORWARD DROP	# drop all forward packets
       $IPTABLES -P INPUT DROP	# drop all incomming packets
    
    
       # allow everything for loop device
    
       $IPTABLES -A INPUT -i lo -j ACCEPT
       $IPTABLES -A OUTPUT -j ACCEPT
    
       # allow DNS in all directions
       # $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
       # $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
    
       # Allow previously established connections
       $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
       # allowed ports
    
       for PORT in $ALLOWED_TCP_PORTS; do
       $IPTABLES -A INPUT -p tcp --dport $PORT -j ACCEPT
       done
       for PORT in $ALLOWED_UDP_PORTS; do
       $IPTABLES -A INPUT -p udp --dport $PORT -j ACCEPT
       done
    
       # Create a chain for logging all dropped packets
       $IPTABLES -N LOG_DROP
    #  $IPTABLES -A LOG_DROP -j LOG --log-prefix "Attack log: "
       $IPTABLES -A LOG_DROP -j DROP
    
       $IPTABLES -A INPUT -j LOG_DROP    # drop all incomming
       $IPTABLES -A FORWARD -j LOG_DROP  # drop all forwarded
    
    	echo $KIND services started...
    	RETVAL=0
            echo 
            [ $RETVAL -eq 0 ] && touch /var/lock/subsys/iptables 
            return $RETVAL 
    	return 0
    }	
    
    
    stop() {
            KIND="Iptables"
    	echo -n $"Shutting down $KIND services: "
       	IPTABLES="/usr/sbin/iptables" 
    
       $IPTABLES -F
       $IPTABLES -X
       $IPTABLES -P OUTPUT ACCEPT
       $IPTABLES -P FORWARD ACCEPT
       $IPTABLES -P INPUT ACCEPT
    
    	#test -f /var/lock/subsys/iptables && kill `cat /var/lock/subsys/iptables`
    	RETVAL=$?
    	#sleep 4
    	if [ "$RETVAL" == "0" ]; then
    	rm -f /var/lock/subsys/iptables
            echo $KIND services stopped successfully
            else
             echo Failed! Could not stop $KIND services...
            fi
    	echo
    	return 0
    }
    
    rhstatus() { 
            echo "-----------------------------------------------------------------------------------------------------------------"
    	IPTABLES="/usr/sbin/iptables" 
    	$IPTABLES -L -v
    	echo "-----------------------------------------------------------------------------------------------------------------"	
    }
    
    case "$1" in 
      start) 
            start 
            ;; 
      stop) 
            stop 
            ;; 
      status) 
            rhstatus 
            ;;   
    *) 
            echo "Usage: rc.FireWall {start|stop|status}" 
            exit 1 
    esac 
    exit $?

  5. #5
    Just burned his ISO
    Join Date
    Oct 2008
    Posts
    4

    Default Giptables

    Try this. A great script for firewall.

    www dot giptables dot org

  6. #6
    Just burned his ISO
    Join Date
    Oct 2008
    Posts
    4

    Default

    try this www dot giptables dot org

    Please, delete this post it's duplicated. thank you

  7. #7
    JMC31337
    Guest

    Default Program Utilizing IP Tables

    try Slackfire
    its a good prog for IP tables

  8. #8
    Just burned his ISO
    Join Date
    May 2008
    Posts
    10

    Default

    How do I find / activate the BT3 firewall i'm just setting up bt3 F and i don't know a whole lot about it

  9. #9
    Junior Member the_rooster's Avatar
    Join Date
    Apr 2008
    Posts
    25

    Default

    I found a rather simple script upon which to build at /etc/rc.d/rc.FireWall start|stop|status

  10. #10
    Member
    Join Date
    Jun 2008
    Posts
    101

    Default

    Quote Originally Posted by Blackrose View Post
    How do I find / activate the BT3 firewall i'm just setting up bt3 F and i don't know a whole lot about it
    If you want to use the one that comes with BT3F simple rename rc.FireWall in /etc/rc.d/ to rc.firewall. Also give it executing rights if not done. Do

    Code:
    iptables -L
    before rebooting and after to see if the firewall script was executed at start-up. If it wasn't, place a line in rc.local to execute it. Good luck!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •