1 |
"P.V.Anthony" <pvantony@×××××××××××.sg> posted |
2 |
470438AA.8040502@×××××××××××.sg, excerpted below, on Thu, 04 Oct 2007 |
3 |
08:49:46 +0800: |
4 |
|
5 |
> I was trying to get the KISS firewall working on Gentoo Hardened amd64. |
6 |
> |
7 |
> The firewall script is from the following, |
8 |
> http://www.geocities.com/steve93138/ |
9 |
> |
10 |
> I am not at all good with firewalls. That is why I am using this KISS |
11 |
> script. |
12 |
> |
13 |
> Have emerged iptables. Currently using kernel version 2.6.22 from the |
14 |
> gentoo hardened sources. |
15 |
> |
16 |
> Searched google and found no good solution. |
17 |
> |
18 |
> It seems that the kernel modules are different for some kernels |
19 |
> versions. |
20 |
> |
21 |
> Cannot find the ipt_unclean module. Tried compiling all the modules |
22 |
> under Network. |
23 |
> |
24 |
> If there are any links, please share them. Or better please help with |
25 |
> advice. |
26 |
|
27 |
First a direct answer, then my experience/opinion, FWIW. |
28 |
|
29 |
Direct answer: With a bit of googling, I found the following: |
30 |
|
31 |
http://www.groupsrv.com/linux/about16735.html |
32 |
|
33 |
The gist of it is that the ipt_unclean module was always considered |
34 |
experimental and not recommended by the IPTables folks, and was removed |
35 |
shortly before kernel 2.6.0, due to conflict with header usage for IETF |
36 |
network congestion notification. |
37 |
|
38 |
It's also worth noting that it was never entirely free of problems -- |
39 |
race conditions and the like -- thus its constant "experimental" status |
40 |
even while it existed. At one point, and the first page of the google |
41 |
results for it was full of hits on this, it was actually locking up the |
42 |
kernel. Thus, while it was /intended/ to filter unclean packets, it was |
43 |
always considered iffy at best and was not recommended, since the cure |
44 |
was effectively worse than the disease! |
45 |
|
46 |
Obviously, given the above, it's not something you'd want on in any case |
47 |
-- unless you were someone experimenting with it, thus the "experimental" |
48 |
label. |
49 |
|
50 |
So that answer your question... you won't find that module per se in a |
51 |
2.6 kernel, and since it was removed before 2.6.0, any kind of firewall |
52 |
script you find that still references it is either for 2.4 kernels only |
53 |
(and then either specifically for folks experimenting, or by someone who |
54 |
obviously didn't know what he was doing), or hopelessly outdated at this |
55 |
point. IOW, anything that references it without some sort of HUGE |
56 |
warning... isn't something I'd be trusting in the first place. |
57 |
|
58 |
... Which brings me to the second part of this post, some "advice" since |
59 |
you asked for it, based on my own experience. Obviously, this part is |
60 |
opinion only. Feel free to treat it as worth what you are paying for it |
61 |
(nothing). =8^) |
62 |
|
63 |
Personally, I tried a number of different firewall scripts, but wasn't |
64 |
really satisfied with any of them. Most of them tried to do too much -- |
65 |
they had all sorts of config options for configuring big commercial |
66 |
networks, options for shutting off net access to a specific segment of |
67 |
the internal network at a specific time, for instance. I didn't /need/ |
68 |
that sort of complex configuration, and it only made things more |
69 |
confusing, not less. |
70 |
|
71 |
At the same time, stuff that should have been simple ended up hugely |
72 |
complex. I was never sure which modules I needed for which options, and |
73 |
since I was configuring scripts that did the actual configuring of the |
74 |
IPTables based firewall, when something didn't work, I was never quite |
75 |
sure whether it was the script, or a bug in the kernel, or a missing |
76 |
module, or my mistake, or... Well, I'm sure you can identify right about |
77 |
now! =8^( |
78 |
|
79 |
So I decided that just wasn't going to work, and for several years I just |
80 |
depended on a NAPT based router (which I had bought when I was back on |
81 |
MSWormOS) to do my firewalling. It was relatively simple, but had |
82 |
documentation, actually worked according to it, and did the job I needed |
83 |
done. |
84 |
|
85 |
However, that router was an old generation 1.5 Netgear, limited to 10Mbit |
86 |
Ethernet on the WAN port, with actual thruput limited to about 6.5 Mbps. |
87 |
When my Internet connection was upped to 7Mbps, the router became the |
88 |
bottleneck, and I realized I either needed to buy a new one or quit |
89 |
putting off learning IPTables the /right/ way. |
90 |
|
91 |
I learned IPTables directly. As I expected, it was /much/ simpler than |
92 |
the scripts /ever/ were. This is particularly true for Gentoo users |
93 |
already accustomed to running emerges and doing various other sysadmin |
94 |
tasks from a CLI, as opposed to doing everything from a GUI, and who |
95 |
already configure and compile their own kernel and don't run screaming |
96 |
when someone mentions the very idea of doing so in ordered to get a |
97 |
specific netfilter module. Arguably, the scripts /could/ be better for |
98 |
folks used to running a distribution's precompiled binary kernel, with |
99 |
all its precompiled modules, who as I said run screaming at the very idea |
100 |
of compiling their own, tho I never found it so (I was on Mandrake back |
101 |
when I first tried, altho I must say I learned to compile my own kernel, |
102 |
even if it was from Mandrake sources, pretty early on), but my opinion is |
103 |
that most Gentoo users will be better served learning IPTables directly. |
104 |
It's NOT that hard, and as I said, I actually found it /vastly/ simpler |
105 |
than trying to figure out all those indirect scripts and the like. YMMV |
106 |
of course... |
107 |
|
108 |
So, assuming I've convinced you and you want to learn IPTables itself, |
109 |
what's an easy way to start? Well, one way's to merge the iptables |
110 |
package and then read the iptables manpage. From my experience, even |
111 |
that would be on par with trying to run those stupid supposedly "simple" |
112 |
firewall configuration scripts, but I'd call that "intermediate". That |
113 |
works best after you have your bearings and know the basics. There are |
114 |
easier ways to start. |
115 |
|
116 |
You said firewall, but didn't mention whether you are more interested in |
117 |
running a firewall protecting a standalone machine, or whether you really |
118 |
had in mind a dedicated firewall machine, protecting a whole LAN worth of |
119 |
machines (tho that might be only one) behind it. |
120 |
|
121 |
My case is the first, a firewall protecting a standalone machine, and in |
122 |
any event, as long as you have direct console access to your firewall, |
123 |
it's easiest to start there, and deal with the forwarding later, after |
124 |
you learn the basics. If you are logging into your firewall machine over |
125 |
the LAN and don't have any direct console access, you do of course need |
126 |
to be careful you don't block your own command connection. That's |
127 |
possible, but to keep things simple, the below assumes a direct console |
128 |
connection. |
129 |
|
130 |
For the Gentoo user especially, the simplest and most direct guide is the |
131 |
one DRobbins himself wrote for IBM developerWorks, back for kernel 2.4, |
132 |
but still useful today, and now hosted on the Gentoo infrastructure and |
133 |
listed in the main docs list. |
134 |
|
135 |
http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml |
136 |
|
137 |
Courtesy of some googling, here are some more paralleling that (links may |
138 |
wrap): |
139 |
|
140 |
David Mair's very basic firewall protecting a standalone machine version: |
141 |
|
142 |
http://www.cyberciti.biz/tips/how-do-i-build-a-simple-linux-firewall-for- |
143 |
dsldial-up-connection.html |
144 |
|
145 |
Here's another David Mair link, this one for a dedicated firewall |
146 |
protecting a LAN: |
147 |
|
148 |
http://www.novell.com/coolsolutions/feature/18139.html |
149 |
|
150 |
Another useful one. As the DRobbins tutorial, it starts with a simple |
151 |
single standalone machine firewall and gets more complex from there: |
152 |
|
153 |
http://wiki.centos.org/HowTos/Network/IPTables |
154 |
|
155 |
If you are doing a dedicated router, Gentoo has a guide specifically for |
156 |
that, too. In addition to firewalling and routing, it covers setting up |
157 |
additional stuff such as mail/web/ntp servers and the like, that you may |
158 |
wish to host on your firewall/router machine. |
159 |
|
160 |
http://www.gentoo.org/doc/en/home-router-howto.xml |
161 |
|
162 |
OK, here's the official netfilter site tutorial list, but unfortunately, |
163 |
it seems like it isn't kept up to date, and some of the links are dead- |
164 |
ends. Many of the others don't seem real appropriate, but I'll list a |
165 |
few of the more useful ones below: |
166 |
|
167 |
http://www.netfilter.org/documentation/index.html#documentation-tutorials |
168 |
|
169 |
The first one, IPTables Tutorial by Oskar Andreasson, may be useful if |
170 |
you don't know much about the basics of TCP/IP, and want to get a general |
171 |
orientation on that, with IPTables in mind, before you get to doing stuff |
172 |
with IPTables itself. |
173 |
|
174 |
Down the list a way, there's Netfilter tutorial, by crhalpin. It has a |
175 |
nice example at the end, specifically for a firewall/NAT box, thus it |
176 |
should be most useful for that, but it has a couple rather useful hints |
177 |
sections, "Tips and Style Issues", and "Common Mistakes (or Don't Follow |
178 |
in my Footsteps)". |
179 |
|
180 |
The last three links on that official tutorials list are to |
181 |
professionally written magazine articles, by David Coulson. The links |
182 |
are to the PDFs as taken straight from the magazines, so if you like nice |
183 |
glossy magazine layouts, these are likely to be right down your alley! |
184 |
=8^) |
185 |
|
186 |
OK, some misc. discussion and additional links: |
187 |
|
188 |
Useful info if you run bittorrent, by Vivek: |
189 |
|
190 |
http://www.cyberciti.biz/tips/linux-iptables-open-bittorrent-tcp- |
191 |
ports-6881-to-6889.html |
192 |
|
193 |
For Gentoo, the in-tree iptables package places the iptables initscript |
194 |
in the usual place, /etc/init.d, with its config likewise in the usual |
195 |
place, /etc/conf.d. Many of the above links use scripts to setup and |
196 |
take down their iptables setup, but Gentoo naturally already has that |
197 |
covered. Once you get the running iptables setup the way you wish, |
198 |
configure /etc/conf.d/iptables, then run |
199 |
|
200 |
/etc/init.d/iptables save |
201 |
|
202 |
to save your setup to the configured location. FWIW, I decided I wanted |
203 |
mine in /etc/iptables.rules instead of the default /var location, but |
204 |
that of course is up to you. |
205 |
|
206 |
Particularly if you turned on the SAVE_ON_STOP option, you may wish to |
207 |
make it a point of backing up your useful config every time you change |
208 |
it, just to be sure your specific config you worked so hard to setup |
209 |
isn't accidentally overwritten by a non-working config if you change it. |
210 |
I like to use dates on my backups so I know when they were made, so along |
211 |
with my rules in /etc, I have a backup iptables.rules.20070731 (the last |
212 |
date I tweaked it) as well. |
213 |
|
214 |
Once you have your config saved, you will want to add the iptables |
215 |
service to the appropriate runlevel, in boot if your network starts |
216 |
there, or in default if there. It'll start before the network if it's in |
217 |
the appropriate level. You can add it to nonetwork if you wish as well |
218 |
-- it won't harm anything, and will activate on any network interfaces as |
219 |
they are brought up if you start networking manually that way. |
220 |
|
221 |
FWIW, in addition to the "save" action and the normal start/stop/restart/ |
222 |
zap type actions, Gentoo's iptables initscript has two additional |
223 |
actions, "reload", to reload the saved config, and "panic", which I've |
224 |
never used but appears to shut down all net access immediately, |
225 |
accomplished by setting everything to immediate drop. (I'd be more |
226 |
inclined to unplug my cable modem in that situation, thus my not feeling |
227 |
the need to investigate the panic function, but it's useful to know it's |
228 |
there anyway.) |
229 |
|
230 |
There are two commands to display active rules. iptables -L lists them |
231 |
in one format, iptables-save, which outputs to STDOUT thus to the |
232 |
terminal if not redirected to a file, lists them in a somewhat different |
233 |
format. iptables -L is perhaps more useful as an overview as it's more |
234 |
tabular and less cluttered, but the output of iptables-save is much |
235 |
closer to the command line parameters actually entered to create the |
236 |
rules. Thus, iptables-save tends to be more useful when actually |
237 |
creating and deleting rules, or anyway I certainly found it so. |
238 |
|
239 |
Finally, in addition to the stuff covered in the tutorials above, there |
240 |
are a few additional rules general and useful enough to mention here. |
241 |
|
242 |
First, if your ISP (as mine) uses DHCP, you'll want to add a rule |
243 |
allowing that, since it won't be covered by the usual established,related |
244 |
rule because the connection is just being setup at that point. After |
245 |
reading the tutorials above and referencing the iptables manpage if |
246 |
necessary, this should make enough sense that you can setup your own rule |
247 |
for it reasonably easily. DHCP is an extension of bootp, and uses the |
248 |
same ports, udp ports 67 and 68. Incoming, you'll want a rule allowing |
249 |
udp sport 67, dport 68. The outgoing rule if you need one (basic setups |
250 |
normally allow outgoing by default, in which case you probably don't) |
251 |
would be the reverse, udp sport 68, dport 67. |
252 |
|
253 |
Additionally, I found that while I wanted to log most traffic before it |
254 |
was dropped, I wanted to limit the logging rate so it wouldn't use up all |
255 |
the space on my log partition if I got attacked, and there were a few |
256 |
things, like messenger spam (udp dport 1026-1031 inbound) that were SO |
257 |
common it wasn't worth logging at all. I accomplished this by setting up |
258 |
a logging chain, adding a rule to the end of the input chain (after all |
259 |
my normal allows) to jump to the logging chain. The rules in this |
260 |
logging chain then drop anything (like udp dport 1026-1031 as mentioned |
261 |
above) I consider too common to log, with the last rule in the logging |
262 |
chain a rate-limited logging rule. Processing then returns to the input |
263 |
chain, which having no additional rules (the one invoking the logging |
264 |
chain being the last one) and a DROP policy, then drops any remaining |
265 |
packets. |
266 |
|
267 |
As the logging paragraph above indicates, I found it useful to create a |
268 |
few chains beyond the default INPUT/OUTPUT/FORWARD. Specifically, I have |
269 |
(for input): |
270 |
|
271 |
in-except, for exceptions to the following, |
272 |
in-allow, for explicit allow rules, |
273 |
in-log, to drop the real common stuff and log whatever has fallen thru. |
274 |
|
275 |
The default INPUT chain with a default DROP policy then consists of three |
276 |
simple rules jumping to the above three input chains in order, as follows |
277 |
(format is as output by iptables-save): |
278 |
|
279 |
-A INPUT -j in-except |
280 |
-A INPUT -j in-allow |
281 |
-A INPUT -j in-log |
282 |
|
283 |
in-exceptions is currently empty, but from previous experience I've found |
284 |
it useful to have. It comes in handy if I want to block packets from a |
285 |
specific IP or something that would otherwise be allowed. |
286 |
|
287 |
in-allow has the following three rules: |
288 |
|
289 |
-A in-allow -m state --state RELATED,ESTABLISHED -j ACCEPT |
290 |
-A in-allow -i lo -j ACCEPT |
291 |
-A in-allow -p udp -m udp --sport 67 --dport 68 -j ACCEPT |
292 |
|
293 |
The related/established one should be well covered in the tutorials. I |
294 |
allow everything from the localhost loopback interface, and as discussed |
295 |
above, I allow DHCP packets. (The DHCP rule could be tightened down |
296 |
somewhat if necessary, but this works and is reasonably limited, |
297 |
considering the dhcp client only has the port open a limited time when it |
298 |
leases or renews the IP.) |
299 |
|
300 |
in-log also has three rules, as follows: |
301 |
|
302 |
-A in-log -i eth0 -p icmp -m icmp --icmp-type 8/0 -j DROP |
303 |
-A in-log -i eth0 -p udp -m udp --dport 1026:1031 -j DROP |
304 |
-A in-log -m limit --limit 20/hour -j LOG --log-prefix "IPTables:" |
305 |
|
306 |
ICMP type 8/0 is ICMP echo, aka "ping", ICMP implementation. I choose to |
307 |
drop this, and to do so before logging. The second entry is the |
308 |
messenger spam entry I mentioned above, since the things otherwise fill |
309 |
my logs. The third is the logging entry itself, using the default burst |
310 |
level of (IIRC) five, then limited to one every three minutes. |
311 |
|
312 |
Since this is a stand-alone machine, I don't have to worry about |
313 |
forwarding so it's simply a default DROP policy. I don't have a reason to |
314 |
filter output, so it's simply a default ACCEPT policy. Thus, similar to |
315 |
a NAPT based router, the only filtering I'm doing is on incoming packets, |
316 |
and generally limited to related/established, with a limited set of |
317 |
exceptions, and everything else rate-limit logged, again with a limited |
318 |
set of too-common exceptions, before dropping. |
319 |
|
320 |
The entire set, again as output from iptables-save, is as follows (packet/ |
321 |
byte stats where displayed xxed out): |
322 |
|
323 |
# Generated by iptables-save v1.3.8 on Thu Oct 4 07:00:23 2007 |
324 |
*filter |
325 |
:INPUT DROP [xxx:xxx] |
326 |
:FORWARD DROP [0:0] |
327 |
:OUTPUT ACCEPT [xxx:xxx] |
328 |
:in-allow - [0:0] |
329 |
:in-except - [0:0] |
330 |
:in-log - [0:0] |
331 |
-A INPUT -j in-except |
332 |
-A INPUT -j in-allow |
333 |
-A INPUT -j in-log |
334 |
-A in-allow -m state --state RELATED,ESTABLISHED -j ACCEPT |
335 |
-A in-allow -i lo -j ACCEPT |
336 |
-A in-allow -p udp -m udp --sport 67 --dport 68 -j ACCEPT |
337 |
-A in-log -i eth0 -p icmp -m icmp --icmp-type 8/0 -j DROP |
338 |
-A in-log -i eth0 -p udp -m udp --dport 1026:1031 -j DROP |
339 |
-A in-log -m limit --limit 20/hour -j LOG --log-prefix "IPTables:" |
340 |
COMMIT |
341 |
# Completed on Thu Oct 4 07:00:23 2007 |
342 |
|
343 |
To enable that and provide a bit of additional flexibility, I have the |
344 |
following related kernel config items enabled (I prefer builtin for |
345 |
regularly used stuff, so most of these are =y here, but some can be |
346 |
modularized, =m, if desired): |
347 |
|
348 |
#General netfilter option, under Networking > Networking Options |
349 |
CONFIG_NETFILTER |
350 |
# Under that... |
351 |
|
352 |
# ... Under Core Netfilter Configuration |
353 |
|
354 |
# Netfilter connection tracking support |
355 |
CONFIG_NF_CONNTRACK_ENABLED |
356 |
# FTP protocol support |
357 |
CONFIG_NF_CONNTRACK_FTP |
358 |
# Netfilter Xtables support |
359 |
CONFIG_NETFILTER_XTABLES |
360 |
# "NFLOG" target support |
361 |
CONFIG_NETFILTER_XT_TARGET_NFLOG |
362 |
# "helper" match support |
363 |
CONFIG_NETFILTER_XT_MATCH_HELPER |
364 |
# "limit" match support |
365 |
CONFIG_NETFILTER_XT_MATCH_LIMIT |
366 |
# Multiple port match support |
367 |
CONFIG_NETFILTER_XT_MATCH_MULTIPORT |
368 |
# "pkttype" packet type match support |
369 |
CONFIG_NETFILTER_XT_MATCH_PKTTYPE |
370 |
# "state" match support |
371 |
CONFIG_NETFILTER_XT_MATCH_STATE |
372 |
|
373 |
# ... Under IP: Netfilter Configuration |
374 |
|
375 |
# IPv4 connection tracking support (required for NAT) |
376 |
CONFIG_NF_CONNTRACK_IPV4 |
377 |
# IP tables support (required for filtering/masq/NAT) |
378 |
CONFIG_IP_NF_IPTABLES |
379 |
# IP range match support |
380 |
CONFIG_IP_NF_MATCH_IPRANGE |
381 |
# Owner match support |
382 |
CONFIG_IP_NF_MATCH_OWNER |
383 |
# Packet filtering |
384 |
CONFIG_IP_NF_FILTER |
385 |
# REJECT target support |
386 |
CONFIG_IP_NF_TARGET_REJECT |
387 |
# LOG target support |
388 |
CONFIG_IP_NF_TARGET_LOG |
389 |
|
390 |
All the other Netfilter related kernel options are off. |
391 |
|
392 |
Hope that's all useful, if not to you then to someone, as it took me |
393 |
quite some time to compose it! =8^) |
394 |
|
395 |
-- |
396 |
Duncan - List replies preferred. No HTML msgs. |
397 |
"Every nonfree program has a lord, a master -- |
398 |
and if you use the program, he is your master." Richard Stallman |
399 |
|
400 |
-- |
401 |
gentoo-amd64@g.o mailing list |