Arno's iptables single- & multi-homed firewall script (C) Copyright 2001-2003 by Arno van Amersfoort Homepage : http://rocky.molphys.leidenuniv.nl/ Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 Email : a r n o v a AT x s 4 a l l DOT n l ------------------------------------------------------------------------------------------------------------------------ Credits: - Seven. The initial firewall script was based on his work (Seven's iptables script 1.6 - (C) 2001) - ADSL4linux. The initial ADSL implementation was taken from their iptables script (http://www.adsl4linux.nl) - Arch@os for providing me with some useful information & for beta testing - RelaxLex (Lex) for pointing out some inconsistencies - Rifath Nawaz for beta testing the Freeswan support ------------------------------------------------------------------------------------------------------------------------ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ------------------------------------------------------------------------------------------------------------------------ An explanation of the files in the package: ------------------------------------------- rc.iptables : The actual firewall script, core of Arno's iptables firewall. You should put this file in for example /etc/rc.d/ . Further more you need to make it root owner/group (with "chown root" & "chgrp root") and make sure its only root read/write/executable (with "chmod 700"). All of this for security reasons. iptables-firewall.conf : The configuration file used for Arno's iptables firewall. Normally you should put it in /etc/ . Make sure root is owner/group (with "chown root" & "chgrp root") and make sure its only root read/writable (with "chmod 600"). All of this again for security reasons. iptables-firewall.conf.example : Example file on how to configure iptables-firewall.conf. Only use it as an example, do NOT use it as a direct configuration file! syslog.conf : Example file on how to configure syslogd (/etc/syslog.conf) to log all firewall messages to a seperate file called /var/log/firewall (instead of /var/log/messages). fwfilter : A pipe filter script to make the firewall-log better readable. It can be used for example in conjuction with a tail to log your firewall to local tty10 (-12). It can be used for both /var/log/messages and /var/log/firewall (or whatever name you configured syslogd), depending on the logging level specified in the configuration file. An example on how to use it can be found in the beginning of the fwfilter script. Any options for fwfilter can be configured within the script itself. You should put this file in for example /usr/local/bin/ rc.traffic-shaper : A traffic shaper script which helps to prevent overflow of your upstream bandwidth when uploading which causes your download bandwidth to decrease (significantly). Any options for rc.traffic-shaper can be configured within the script itself. The network interface used for the traffic-shaper should (already) exist when you run this script! You should put this file in for example /usr/local/bin/ . Note that development for my traffic-shaper has been stopped. If you don't need any fancy features it will work fine but note that there are much better alternatives for it (Wondershaper for example). ------------------------------------- | Some important security advisory: | ------------------------------------- 1) Always first start the firewall before you enable your (ADSL) internet connection (if possible). For ppp a interface that doesn't exist yet you can use the wildcard device called "ppp+". 2) Don't change any (security) settings ('EXPERT SETTINGS') if you don't really understand what they mean. Changing them anyway could have a big impact on the security of your machine . --------------- | Quick setup | --------------- If you want to have it run quickly or are a novice user than this is the part that's important. Remember that my firewall has a lot of other useful features which will NOT be used in this way. Advantage of this is that by default various security features are enabled to protect you from hostile attacks. 1) First we've to check whether your Linux setup is OK in order to make the script work correctly. - It of course requires iptables to be installed. Its recommended to get the latest version (package), if possible. This because this prefixes any incompatibilities or bugs my script might have with older versions. Additionally the latest version contains all known (security) fixes, which strengents the firewall itself. - Make sure that you have kernel with iptables compiled into it or a module-based kernel with the iptables modules installed. This is NOT possible when ipchains is still installed. If ipchains is installed (default for RedHat 7.1) than you need to do "rmmod ipchains" first before running this script. - It requires /bin/sh - My scripts needs the following binaries in your path: ifconfig, modprobe, grep, uname, sed, date, cut. - The traffic shaper (rc.traffic-shaper) requires the "tc" command (from the iproute2 package). - If you want to enable resolving of IPs ($RESOLV_IPS) than the command 'dig' should also be available. 2) Now we need to determine whether you have a single- or dual-homed machine. Single means you ONLY have one network- interface, which is the one connected to the outside "evil" world (internet). Dual-homed also have a local subnet connected to an additional network interface. 3) Put rc.iptables (default is /etc/rc.d/rc.iptables) & iptables-firewall.conf (default is /etc/iptables-firewall.conf) in the desired places (listed above with additional information). You probably also want to automatically start the script at system boot for that you need to drop a line like "/etc/rc.d/rc.iptables start" in the file "/etc/rc.d/rc.local" (probably at or near the end). The script is also compatible with chkconfig runlevels (Redhat) so you could also run it in different runlevels but then of course you don't (or shouldn't) start it from "/etc/rc.d/rc.local" of course but instead put the script itself in /etc/init.d/ Now we will change the required settings in "iptables-firewall.conf": --------------------------------------------------------------------- 4) Configure your external network interfaces, EXT_IF. This is the interface which is the one connected to the internet. When you have a dynamically assigned internet IP you should set "DYNAMIC_IP=1" else leave it off (0). 5) For dual-homed machines you should also configure INT_IF, the interface used for the local network. You should set your local subnet range in "INTERNAL_NET=" (default value is normally OK). If you want your internal network to be able to access the internet (aka. internet-sharing), you should also enable NAT (Masquerading) by setting "NAT=1"). 6) If you don't have a (A)DSL modem (which works with a PPtP connection to your machine) you can continue with step 7. You can verify this with 'ifconfig', if a ppp device with your public IP exists you should configure the (A)DSL MODEM settings. First we must configure the network interface to which your modem is physically(!) connected (=MODEM_IF, which is commented(#) by default), and this is NOT ppp+, ppp0 etc.! Here are some examples on how to do it for some providers (its assumed that the modem is connected to eth0): PPPoE connection with a static public IP (ie. MxStream in the Netherlands) (setup with the ADSL4Linux package from http://www.adsl4linux.nl): - MODEM_IF="eth0" - MODEM_IF_IP="10.0.0.150" - MODEM_IP="10.0.0.138" - DYNAMIC_IP=0 T-DSL (Germany) with a dynamic public IP: - MODEM_IF="eth0" - MODEM_IF_IP="192.168.99.1" - MODEM_IP="" - DYNAMIC_IP=1 PPPoA connection with a dynamic public IP (ie. Versatel Zonnet in the Netherlands): - MODEM_IF="eth0" - MODEM_IF_IP="" # This MUST be unset("")! - MODEM_IP="10.0.0.138" # You could unset("") this. - DYNAMIC_IP=1 Note: For extra security you *can* set the IP of your modem (MODEM_IP), but its not neccessary (anymore). If you don't know its IP or believe it doesn't have an IP (meaning its transparant/bridging), you can leave MODEM_IP="". The same applies for the IP of the modem network interface (MODEM_IF_IP). In case of a PPPoA (PPP-over-ATM) you MUST leave MODEM_IF_IP unset(="")! 7) When your public IP is dynamic (meaning not static = assigned to you by your ISP) then you should enable support for dynamic IPs by setting "DYNAMIC_IP=1". 8) Your now ready to start the firewall by issueing "/etc/rc.d/rc.iptables start". Everything should now work OK, if it doesn't, carefully review all steps and your configuration. For troubleshouting you can also consult my webpage (FAQ). Parameters for rc.iptables: --------------------------- start = Start firewall (AND reset iptables counters) stop = Stop firewall (set default policies to accept) restart = Restart firewall (DOES NOT reset iptables counters) breread = Reread blocked hosts (blackhole) file status [chain] = View firewall ruleset ([chain] is optional)