• NAME
• DESCRIPTION
• FEATURES
• REQUIREMENTS
• INSTALLATION
• MAINTENANCE
• COPYRIGHT
• AUTHOR

NAME

server-firewall 1.0.1

DESCRIPTION

server-firewall is a small iptables firewall script intended for linux servers with one interface to protect the server as much as possible using the power of the netfilter (iptables) possibilities.

FEATURES

This firewall script protects a single interface in both directions. A minimum of services is enabled by default.

Log-messages and ICMP in -and out-going traffic is limited.

It protects the server from various scan-types, broadcasts, reserved-networks and some more spoofing and attacking techniques.

Supports firewall rules for hosts with dynamic ip addresses using dynamic dns.

Logs how many bytes are passing your interface in both directions, which you could use compare the bill of your provider or to charge someone using your server.

Enables general traffic shaping on your server interface. Small packets(ssh) are getting guaranteed, small bandwith and bigger packets(www, ftp) are getting maximum available bandwith less the guaranteed bandwith for small packets.

This allows you to connect to your server using ssh even if it is currently under attack by a denial of service.

But note, that this is not totally sure. It will still be possible to disable the server completely. Don't feel secure.

REQUIREMENTS

Linux operating system.

One of the best choice is the totally free debian system.

Kernel 2.4.x

The kernel must be of version 2.4.x or higher. Netfilter support must be enabled. See the file samples/kernel.config how to configure this.

netfilter

The netfilter tool suite must be installed. On debian you can install netfilter by issuing the following command:

 # apt-get install iptables

To make sure it is installed and the kernel is configured properly, issue this command:

 # iptables -nL

It should list you 3 empty default chains which are unconfigured (default policy: ACCEPT):

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination

 Chain FORWARD (policy ACCEPT)
 target     prot opt source               destination

 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination

tc

tc is a part of the iproute tool suite. On debian you can install it by issuing:

 # apt-get install iproute

To try if it works and QoS (Quality of Service) is enabled in your kernel:

 # tc qdisc

Normally you should not receive any output. If you see something telling you about RTNETLINK answers: Invalid argument then you have probably not enabled QoS support.

ipcalc

Used to determine the IP configuration of your interface. You can find ipcalc here: http://jodies.de/ipcalc.

INSTALLATION

Installing the server-firewall is quite simple.

Just edit the Makefile to eventually change destinations and issue the following command as root:

 # make install

The next step is to edit /etc/firewall.conf. There is not much to edit there, maybe your interface is not eth0 so change it. The ip address and netmask will be determined automatically. If you don't like this then comment the lines out and configure it manually.

Afterwards cd to /etc/firewall.d. There are some files of interest:

firewall.rules

This is the most interesting file, which contains all the iptables commands which build the firewall ruleset. Edit it to suit your personal preferences. By default, no incoming services are enabled beside SSH. There are some services configured in the file, just remove the comments to accept it.

Refer to iptables how to use iptables.

firewall.tc

Contains the QoS settings described in the FEATURES section. Normally you don't need to tune it. But if you need or want to do this, please refer to tc and the Linux advanced routing HOWTO: http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/.

firewall.kernel

This file adjusts some kernel parameters. Read the comments in the file for informations about what they do. The file /usr/src/linux/Documentation/networking/ip-sysctl.txt contains extensive descriptions of all possibilities.

hosts

This file contains hostnames of host with dynamic ip addresses. If you turn on the DYNAMIC chain in firewall.rules, then put the names of the dynamic hosts in this file, one hostname by line.

You need then also to add a cronjob which creates the required file hosts.dynamic which will contain the current resolved ip's of the hosts and which will re-initialize the DYNAMIC chain. See samples/cron how to do this.

To use the DYNAMIC chain, just use -j DYNAMIC as target for a service rule instead of -j $DENY which will feed the packet to this chain. if the corresponding address is accepted here it will pass the interface, if not it will be dropped, which is the default policy of the DYNAMIC chain.

MAINTENANCE

If you are ready to try it out, first check the generated rules if they are correct:

 # /etc/init.d/firewall print

This just prints the commands which would have been executed. If it looks ok, then do:

 # /etc/init.d/firewall start

and check if it works. Use nmap to determine if your server remains unsecure or if it's almost closed.

There were a script installed called flog, which makes it somewhat easier to view the firewall syslog messages:

 # tail -f /var/log/firewall.log | flog

You may also install a crontab entry for fipaccounting which writes the accounting data to a logfile and clears the counters. Use faccsummarize to summarize the accounting log.

COPYRIGHT

 This file  is part of the  SERVER-FIREWALL.

 By  accessing  this software,  SERVER-FIREWALL, you  are  duly
 informed of and agree to be  bound by the conditions described
 below in this notice:

 This software product, SERVER-FIREWALL, is developed by Thomas
 Linden and   copyrighted (C) 1999-2002 by  Thomas Linden, with
 all rights reserved.

 There  is  no charge for the software.  You  can  redistribute
 it and/or  modify it under the terms of the GNU General Public
 License, which is incorporated by reference herein.

 SERVER-FIREWALL is distributed  WITHOUT ANY  WARRANTY, IMPLIED
 OR EXPRESS,  OF MERCHANTABILITY  OR FITNESS FOR  A  PARTICULAR
 PURPOSE or that the use  of it will  not infringe on any third
 party's intellectual property rights.

 You should have received a copy of  GNU General Public License
 along with SERVER-FIREWALL.  Copies can also be obtained from:

   http://www.gnu.org/copyleft/gpl.html

 or by writing to:

   Free Software Foundation, Inc.
   59 Temple Place, Suite 330
   Boston, MA 02111-1307
   USA

 Or contact:

   "Thomas Linden" <tom@daemon.de>

AUTHOR

``Thomas Linden'' <tom@daemon.de>