| 1 |
"P.V.Anthony" <pvantony@×××××××××××.sg> posted |
| 2 |
470438AA.8040502@×××××××××××.sg, excerpted below, on Thu, 04 Oct 2007 |
| 3 |
08:49:46 +0800: |
| 4 |
|
| 5 |
> I was trying to get the KISS firewall working on Gentoo Hardened amd64. |
| 6 |
> |
| 7 |
> The firewall script is from the following, |
| 8 |
> http://www.geocities.com/steve93138/ |
| 9 |
> |
| 10 |
> I am not at all good with firewalls. That is why I am using this KISS |
| 11 |
> script. |
| 12 |
> |
| 13 |
> Have emerged iptables. Currently using kernel version 2.6.22 from the |
| 14 |
> gentoo hardened sources. |
| 15 |
> |
| 16 |
> Searched google and found no good solution. |
| 17 |
> |
| 18 |
> It seems that the kernel modules are different for some kernels |
| 19 |
> versions. |
| 20 |
> |
| 21 |
> Cannot find the ipt_unclean module. Tried compiling all the modules |
| 22 |
> under Network. |
| 23 |
> |
| 24 |
> If there are any links, please share them. Or better please help with |
| 25 |
> advice. |
| 26 |
|
| 27 |
First a direct answer, then my experience/opinion, FWIW. |
| 28 |
|
| 29 |
Direct answer: With a bit of googling, I found the following: |
| 30 |
|
| 31 |
http://www.groupsrv.com/linux/about16735.html |
| 32 |
|
| 33 |
The gist of it is that the ipt_unclean module was always considered |
| 34 |
experimental and not recommended by the IPTables folks, and was removed |
| 35 |
shortly before kernel 2.6.0, due to conflict with header usage for IETF |
| 36 |
network congestion notification. |
| 37 |
|
| 38 |
It's also worth noting that it was never entirely free of problems -- |
| 39 |
race conditions and the like -- thus its constant "experimental" status |
| 40 |
even while it existed. At one point, and the first page of the google |
| 41 |
results for it was full of hits on this, it was actually locking up the |
| 42 |
kernel. Thus, while it was /intended/ to filter unclean packets, it was |
| 43 |
always considered iffy at best and was not recommended, since the cure |
| 44 |
was effectively worse than the disease! |
| 45 |
|
| 46 |
Obviously, given the above, it's not something you'd want on in any case |
| 47 |
-- unless you were someone experimenting with it, thus the "experimental" |
| 48 |
label. |
| 49 |
|
| 50 |
So that answer your question... you won't find that module per se in a |
| 51 |
2.6 kernel, and since it was removed before 2.6.0, any kind of firewall |
| 52 |
script you find that still references it is either for 2.4 kernels only |
| 53 |
(and then either specifically for folks experimenting, or by someone who |
| 54 |
obviously didn't know what he was doing), or hopelessly outdated at this |
| 55 |
point. IOW, anything that references it without some sort of HUGE |
| 56 |
warning... isn't something I'd be trusting in the first place. |
| 57 |
|
| 58 |
... Which brings me to the second part of this post, some "advice" since |
| 59 |
you asked for it, based on my own experience. Obviously, this part is |
| 60 |
opinion only. Feel free to treat it as worth what you are paying for it |
| 61 |
(nothing). =8^) |
| 62 |
|
| 63 |
Personally, I tried a number of different firewall scripts, but wasn't |
| 64 |
really satisfied with any of them. Most of them tried to do too much -- |
| 65 |
they had all sorts of config options for configuring big commercial |
| 66 |
networks, options for shutting off net access to a specific segment of |
| 67 |
the internal network at a specific time, for instance. I didn't /need/ |
| 68 |
that sort of complex configuration, and it only made things more |
| 69 |
confusing, not less. |
| 70 |
|
| 71 |
At the same time, stuff that should have been simple ended up hugely |
| 72 |
complex. I was never sure which modules I needed for which options, and |
| 73 |
since I was configuring scripts that did the actual configuring of the |
| 74 |
IPTables based firewall, when something didn't work, I was never quite |
| 75 |
sure whether it was the script, or a bug in the kernel, or a missing |
| 76 |
module, or my mistake, or... Well, I'm sure you can identify right about |
| 77 |
now! =8^( |
| 78 |
|
| 79 |
So I decided that just wasn't going to work, and for several years I just |
| 80 |
depended on a NAPT based router (which I had bought when I was back on |
| 81 |
MSWormOS) to do my firewalling. It was relatively simple, but had |
| 82 |
documentation, actually worked according to it, and did the job I needed |
| 83 |
done. |
| 84 |
|
| 85 |
However, that router was an old generation 1.5 Netgear, limited to 10Mbit |
| 86 |
Ethernet on the WAN port, with actual thruput limited to about 6.5 Mbps. |
| 87 |
When my Internet connection was upped to 7Mbps, the router became the |
| 88 |
bottleneck, and I realized I either needed to buy a new one or quit |
| 89 |
putting off learning IPTables the /right/ way. |
| 90 |
|
| 91 |
I learned IPTables directly. As I expected, it was /much/ simpler than |
| 92 |
the scripts /ever/ were. This is particularly true for Gentoo users |
| 93 |
already accustomed to running emerges and doing various other sysadmin |
| 94 |
tasks from a CLI, as opposed to doing everything from a GUI, and who |
| 95 |
already configure and compile their own kernel and don't run screaming |
| 96 |
when someone mentions the very idea of doing so in ordered to get a |
| 97 |
specific netfilter module. Arguably, the scripts /could/ be better for |
| 98 |
folks used to running a distribution's precompiled binary kernel, with |
| 99 |
all its precompiled modules, who as I said run screaming at the very idea |
| 100 |
of compiling their own, tho I never found it so (I was on Mandrake back |
| 101 |
when I first tried, altho I must say I learned to compile my own kernel, |
| 102 |
even if it was from Mandrake sources, pretty early on), but my opinion is |
| 103 |
that most Gentoo users will be better served learning IPTables directly. |
| 104 |
It's NOT that hard, and as I said, I actually found it /vastly/ simpler |
| 105 |
than trying to figure out all those indirect scripts and the like. YMMV |
| 106 |
of course... |
| 107 |
|
| 108 |
So, assuming I've convinced you and you want to learn IPTables itself, |
| 109 |
what's an easy way to start? Well, one way's to merge the iptables |
| 110 |
package and then read the iptables manpage. From my experience, even |
| 111 |
that would be on par with trying to run those stupid supposedly "simple" |
| 112 |
firewall configuration scripts, but I'd call that "intermediate". That |
| 113 |
works best after you have your bearings and know the basics. There are |
| 114 |
easier ways to start. |
| 115 |
|
| 116 |
You said firewall, but didn't mention whether you are more interested in |
| 117 |
running a firewall protecting a standalone machine, or whether you really |
| 118 |
had in mind a dedicated firewall machine, protecting a whole LAN worth of |
| 119 |
machines (tho that might be only one) behind it. |
| 120 |
|
| 121 |
My case is the first, a firewall protecting a standalone machine, and in |
| 122 |
any event, as long as you have direct console access to your firewall, |
| 123 |
it's easiest to start there, and deal with the forwarding later, after |
| 124 |
you learn the basics. If you are logging into your firewall machine over |
| 125 |
the LAN and don't have any direct console access, you do of course need |
| 126 |
to be careful you don't block your own command connection. That's |
| 127 |
possible, but to keep things simple, the below assumes a direct console |
| 128 |
connection. |
| 129 |
|
| 130 |
For the Gentoo user especially, the simplest and most direct guide is the |
| 131 |
one DRobbins himself wrote for IBM developerWorks, back for kernel 2.4, |
| 132 |
but still useful today, and now hosted on the Gentoo infrastructure and |
| 133 |
listed in the main docs list. |
| 134 |
|
| 135 |
http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml |
| 136 |
|
| 137 |
Courtesy of some googling, here are some more paralleling that (links may |
| 138 |
wrap): |
| 139 |
|
| 140 |
David Mair's very basic firewall protecting a standalone machine version: |
| 141 |
|
| 142 |
http://www.cyberciti.biz/tips/how-do-i-build-a-simple-linux-firewall-for- |
| 143 |
dsldial-up-connection.html |
| 144 |
|
| 145 |
Here's another David Mair link, this one for a dedicated firewall |
| 146 |
protecting a LAN: |
| 147 |
|
| 148 |
http://www.novell.com/coolsolutions/feature/18139.html |
| 149 |
|
| 150 |
Another useful one. As the DRobbins tutorial, it starts with a simple |
| 151 |
single standalone machine firewall and gets more complex from there: |
| 152 |
|
| 153 |
http://wiki.centos.org/HowTos/Network/IPTables |
| 154 |
|
| 155 |
If you are doing a dedicated router, Gentoo has a guide specifically for |
| 156 |
that, too. In addition to firewalling and routing, it covers setting up |
| 157 |
additional stuff such as mail/web/ntp servers and the like, that you may |
| 158 |
wish to host on your firewall/router machine. |
| 159 |
|
| 160 |
http://www.gentoo.org/doc/en/home-router-howto.xml |
| 161 |
|
| 162 |
OK, here's the official netfilter site tutorial list, but unfortunately, |
| 163 |
it seems like it isn't kept up to date, and some of the links are dead- |
| 164 |
ends. Many of the others don't seem real appropriate, but I'll list a |
| 165 |
few of the more useful ones below: |
| 166 |
|
| 167 |
http://www.netfilter.org/documentation/index.html#documentation-tutorials |
| 168 |
|
| 169 |
The first one, IPTables Tutorial by Oskar Andreasson, may be useful if |
| 170 |
you don't know much about the basics of TCP/IP, and want to get a general |
| 171 |
orientation on that, with IPTables in mind, before you get to doing stuff |
| 172 |
with IPTables itself. |
| 173 |
|
| 174 |
Down the list a way, there's Netfilter tutorial, by crhalpin. It has a |
| 175 |
nice example at the end, specifically for a firewall/NAT box, thus it |
| 176 |
should be most useful for that, but it has a couple rather useful hints |
| 177 |
sections, "Tips and Style Issues", and "Common Mistakes (or Don't Follow |
| 178 |
in my Footsteps)". |
| 179 |
|
| 180 |
The last three links on that official tutorials list are to |
| 181 |
professionally written magazine articles, by David Coulson. The links |
| 182 |
are to the PDFs as taken straight from the magazines, so if you like nice |
| 183 |
glossy magazine layouts, these are likely to be right down your alley! |
| 184 |
=8^) |
| 185 |
|
| 186 |
OK, some misc. discussion and additional links: |
| 187 |
|
| 188 |
Useful info if you run bittorrent, by Vivek: |
| 189 |
|
| 190 |
http://www.cyberciti.biz/tips/linux-iptables-open-bittorrent-tcp- |
| 191 |
ports-6881-to-6889.html |
| 192 |
|
| 193 |
For Gentoo, the in-tree iptables package places the iptables initscript |
| 194 |
in the usual place, /etc/init.d, with its config likewise in the usual |
| 195 |
place, /etc/conf.d. Many of the above links use scripts to setup and |
| 196 |
take down their iptables setup, but Gentoo naturally already has that |
| 197 |
covered. Once you get the running iptables setup the way you wish, |
| 198 |
configure /etc/conf.d/iptables, then run |
| 199 |
|
| 200 |
/etc/init.d/iptables save |
| 201 |
|
| 202 |
to save your setup to the configured location. FWIW, I decided I wanted |
| 203 |
mine in /etc/iptables.rules instead of the default /var location, but |
| 204 |
that of course is up to you. |
| 205 |
|
| 206 |
Particularly if you turned on the SAVE_ON_STOP option, you may wish to |
| 207 |
make it a point of backing up your useful config every time you change |
| 208 |
it, just to be sure your specific config you worked so hard to setup |
| 209 |
isn't accidentally overwritten by a non-working config if you change it. |
| 210 |
I like to use dates on my backups so I know when they were made, so along |
| 211 |
with my rules in /etc, I have a backup iptables.rules.20070731 (the last |
| 212 |
date I tweaked it) as well. |
| 213 |
|
| 214 |
Once you have your config saved, you will want to add the iptables |
| 215 |
service to the appropriate runlevel, in boot if your network starts |
| 216 |
there, or in default if there. It'll start before the network if it's in |
| 217 |
the appropriate level. You can add it to nonetwork if you wish as well |
| 218 |
-- it won't harm anything, and will activate on any network interfaces as |
| 219 |
they are brought up if you start networking manually that way. |
| 220 |
|
| 221 |
FWIW, in addition to the "save" action and the normal start/stop/restart/ |
| 222 |
zap type actions, Gentoo's iptables initscript has two additional |
| 223 |
actions, "reload", to reload the saved config, and "panic", which I've |
| 224 |
never used but appears to shut down all net access immediately, |
| 225 |
accomplished by setting everything to immediate drop. (I'd be more |
| 226 |
inclined to unplug my cable modem in that situation, thus my not feeling |
| 227 |
the need to investigate the panic function, but it's useful to know it's |
| 228 |
there anyway.) |
| 229 |
|
| 230 |
There are two commands to display active rules. iptables -L lists them |
| 231 |
in one format, iptables-save, which outputs to STDOUT thus to the |
| 232 |
terminal if not redirected to a file, lists them in a somewhat different |
| 233 |
format. iptables -L is perhaps more useful as an overview as it's more |
| 234 |
tabular and less cluttered, but the output of iptables-save is much |
| 235 |
closer to the command line parameters actually entered to create the |
| 236 |
rules. Thus, iptables-save tends to be more useful when actually |
| 237 |
creating and deleting rules, or anyway I certainly found it so. |
| 238 |
|
| 239 |
Finally, in addition to the stuff covered in the tutorials above, there |
| 240 |
are a few additional rules general and useful enough to mention here. |
| 241 |
|
| 242 |
First, if your ISP (as mine) uses DHCP, you'll want to add a rule |
| 243 |
allowing that, since it won't be covered by the usual established,related |
| 244 |
rule because the connection is just being setup at that point. After |
| 245 |
reading the tutorials above and referencing the iptables manpage if |
| 246 |
necessary, this should make enough sense that you can setup your own rule |
| 247 |
for it reasonably easily. DHCP is an extension of bootp, and uses the |
| 248 |
same ports, udp ports 67 and 68. Incoming, you'll want a rule allowing |
| 249 |
udp sport 67, dport 68. The outgoing rule if you need one (basic setups |
| 250 |
normally allow outgoing by default, in which case you probably don't) |
| 251 |
would be the reverse, udp sport 68, dport 67. |
| 252 |
|
| 253 |
Additionally, I found that while I wanted to log most traffic before it |
| 254 |
was dropped, I wanted to limit the logging rate so it wouldn't use up all |
| 255 |
the space on my log partition if I got attacked, and there were a few |
| 256 |
things, like messenger spam (udp dport 1026-1031 inbound) that were SO |
| 257 |
common it wasn't worth logging at all. I accomplished this by setting up |
| 258 |
a logging chain, adding a rule to the end of the input chain (after all |
| 259 |
my normal allows) to jump to the logging chain. The rules in this |
| 260 |
logging chain then drop anything (like udp dport 1026-1031 as mentioned |
| 261 |
above) I consider too common to log, with the last rule in the logging |
| 262 |
chain a rate-limited logging rule. Processing then returns to the input |
| 263 |
chain, which having no additional rules (the one invoking the logging |
| 264 |
chain being the last one) and a DROP policy, then drops any remaining |
| 265 |
packets. |
| 266 |
|
| 267 |
As the logging paragraph above indicates, I found it useful to create a |
| 268 |
few chains beyond the default INPUT/OUTPUT/FORWARD. Specifically, I have |
| 269 |
(for input): |
| 270 |
|
| 271 |
in-except, for exceptions to the following, |
| 272 |
in-allow, for explicit allow rules, |
| 273 |
in-log, to drop the real common stuff and log whatever has fallen thru. |
| 274 |
|
| 275 |
The default INPUT chain with a default DROP policy then consists of three |
| 276 |
simple rules jumping to the above three input chains in order, as follows |
| 277 |
(format is as output by iptables-save): |
| 278 |
|
| 279 |
-A INPUT -j in-except |
| 280 |
-A INPUT -j in-allow |
| 281 |
-A INPUT -j in-log |
| 282 |
|
| 283 |
in-exceptions is currently empty, but from previous experience I've found |
| 284 |
it useful to have. It comes in handy if I want to block packets from a |
| 285 |
specific IP or something that would otherwise be allowed. |
| 286 |
|
| 287 |
in-allow has the following three rules: |
| 288 |
|
| 289 |
-A in-allow -m state --state RELATED,ESTABLISHED -j ACCEPT |
| 290 |
-A in-allow -i lo -j ACCEPT |
| 291 |
-A in-allow -p udp -m udp --sport 67 --dport 68 -j ACCEPT |
| 292 |
|
| 293 |
The related/established one should be well covered in the tutorials. I |
| 294 |
allow everything from the localhost loopback interface, and as discussed |
| 295 |
above, I allow DHCP packets. (The DHCP rule could be tightened down |
| 296 |
somewhat if necessary, but this works and is reasonably limited, |
| 297 |
considering the dhcp client only has the port open a limited time when it |
| 298 |
leases or renews the IP.) |
| 299 |
|
| 300 |
in-log also has three rules, as follows: |
| 301 |
|
| 302 |
-A in-log -i eth0 -p icmp -m icmp --icmp-type 8/0 -j DROP |
| 303 |
-A in-log -i eth0 -p udp -m udp --dport 1026:1031 -j DROP |
| 304 |
-A in-log -m limit --limit 20/hour -j LOG --log-prefix "IPTables:" |
| 305 |
|
| 306 |
ICMP type 8/0 is ICMP echo, aka "ping", ICMP implementation. I choose to |
| 307 |
drop this, and to do so before logging. The second entry is the |
| 308 |
messenger spam entry I mentioned above, since the things otherwise fill |
| 309 |
my logs. The third is the logging entry itself, using the default burst |
| 310 |
level of (IIRC) five, then limited to one every three minutes. |
| 311 |
|
| 312 |
Since this is a stand-alone machine, I don't have to worry about |
| 313 |
forwarding so it's simply a default DROP policy. I don't have a reason to |
| 314 |
filter output, so it's simply a default ACCEPT policy. Thus, similar to |
| 315 |
a NAPT based router, the only filtering I'm doing is on incoming packets, |
| 316 |
and generally limited to related/established, with a limited set of |
| 317 |
exceptions, and everything else rate-limit logged, again with a limited |
| 318 |
set of too-common exceptions, before dropping. |
| 319 |
|
| 320 |
The entire set, again as output from iptables-save, is as follows (packet/ |
| 321 |
byte stats where displayed xxed out): |
| 322 |
|
| 323 |
# Generated by iptables-save v1.3.8 on Thu Oct 4 07:00:23 2007 |
| 324 |
*filter |
| 325 |
:INPUT DROP [xxx:xxx] |
| 326 |
:FORWARD DROP [0:0] |
| 327 |
:OUTPUT ACCEPT [xxx:xxx] |
| 328 |
:in-allow - [0:0] |
| 329 |
:in-except - [0:0] |
| 330 |
:in-log - [0:0] |
| 331 |
-A INPUT -j in-except |
| 332 |
-A INPUT -j in-allow |
| 333 |
-A INPUT -j in-log |
| 334 |
-A in-allow -m state --state RELATED,ESTABLISHED -j ACCEPT |
| 335 |
-A in-allow -i lo -j ACCEPT |
| 336 |
-A in-allow -p udp -m udp --sport 67 --dport 68 -j ACCEPT |
| 337 |
-A in-log -i eth0 -p icmp -m icmp --icmp-type 8/0 -j DROP |
| 338 |
-A in-log -i eth0 -p udp -m udp --dport 1026:1031 -j DROP |
| 339 |
-A in-log -m limit --limit 20/hour -j LOG --log-prefix "IPTables:" |
| 340 |
COMMIT |
| 341 |
# Completed on Thu Oct 4 07:00:23 2007 |
| 342 |
|
| 343 |
To enable that and provide a bit of additional flexibility, I have the |
| 344 |
following related kernel config items enabled (I prefer builtin for |
| 345 |
regularly used stuff, so most of these are =y here, but some can be |
| 346 |
modularized, =m, if desired): |
| 347 |
|
| 348 |
#General netfilter option, under Networking > Networking Options |
| 349 |
CONFIG_NETFILTER |
| 350 |
# Under that... |
| 351 |
|
| 352 |
# ... Under Core Netfilter Configuration |
| 353 |
|
| 354 |
# Netfilter connection tracking support |
| 355 |
CONFIG_NF_CONNTRACK_ENABLED |
| 356 |
# FTP protocol support |
| 357 |
CONFIG_NF_CONNTRACK_FTP |
| 358 |
# Netfilter Xtables support |
| 359 |
CONFIG_NETFILTER_XTABLES |
| 360 |
# "NFLOG" target support |
| 361 |
CONFIG_NETFILTER_XT_TARGET_NFLOG |
| 362 |
# "helper" match support |
| 363 |
CONFIG_NETFILTER_XT_MATCH_HELPER |
| 364 |
# "limit" match support |
| 365 |
CONFIG_NETFILTER_XT_MATCH_LIMIT |
| 366 |
# Multiple port match support |
| 367 |
CONFIG_NETFILTER_XT_MATCH_MULTIPORT |
| 368 |
# "pkttype" packet type match support |
| 369 |
CONFIG_NETFILTER_XT_MATCH_PKTTYPE |
| 370 |
# "state" match support |
| 371 |
CONFIG_NETFILTER_XT_MATCH_STATE |
| 372 |
|
| 373 |
# ... Under IP: Netfilter Configuration |
| 374 |
|
| 375 |
# IPv4 connection tracking support (required for NAT) |
| 376 |
CONFIG_NF_CONNTRACK_IPV4 |
| 377 |
# IP tables support (required for filtering/masq/NAT) |
| 378 |
CONFIG_IP_NF_IPTABLES |
| 379 |
# IP range match support |
| 380 |
CONFIG_IP_NF_MATCH_IPRANGE |
| 381 |
# Owner match support |
| 382 |
CONFIG_IP_NF_MATCH_OWNER |
| 383 |
# Packet filtering |
| 384 |
CONFIG_IP_NF_FILTER |
| 385 |
# REJECT target support |
| 386 |
CONFIG_IP_NF_TARGET_REJECT |
| 387 |
# LOG target support |
| 388 |
CONFIG_IP_NF_TARGET_LOG |
| 389 |
|
| 390 |
All the other Netfilter related kernel options are off. |
| 391 |
|
| 392 |
Hope that's all useful, if not to you then to someone, as it took me |
| 393 |
quite some time to compose it! =8^) |
| 394 |
|
| 395 |
-- |
| 396 |
Duncan - List replies preferred. No HTML msgs. |
| 397 |
"Every nonfree program has a lord, a master -- |
| 398 |
and if you use the program, he is your master." Richard Stallman |
| 399 |
|
| 400 |
-- |
| 401 |
gentoo-amd64@g.o mailing list |
Archives