Firewall: Difference between revisions
Brian Wilson (talk | contribs) Created page with "Debian packages * shorewall * arno-iptables-firewall * pyroman uses config files written in Python Looking at shorewall first, as I have heard of it already. I already have..." |
Brian Wilson (talk | contribs) |
||
| (14 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
Currently I have a two tier system (at home). | |||
* shorewall | The Ubiquiti Edgerouter forwards outside traffic to [[Bellman]] for selected services (ssh, http, https, sip) | ||
and then the firewall (iptables) on Bellman decides what to reject. Currently I am on Spectrum residential service so I don't run any public services because that would be a violation of the service agreement. | |||
I allow access from selected outside sites as needed, for example currently that would be | |||
Twilio for SIP service and Clatsop County so that I can access my home server from work. | |||
I tried a bunch of free scripts and ended up writing my own. | |||
== IP databases == | |||
I found this web site to create list that identify IP addresses based on location, | |||
for a few minutes I thought about using it to block traffic at TrailPeople then gave up on that as | |||
unwieldy and not particularly effective. | |||
https://www.countryipblocks.net/acl.php | |||
=== Clearing the Synology block/allow database === | |||
I needed to clear the database once I had loaded it up with the wrong allow list and did not want to do it one page at a time!!! So I found instructions here on the database itself: | |||
https://tklaassens.wordpress.com/2016/03/25/edit-synology-ip-block-list-through-ssh/ | |||
I removed the allow list then reloaded it from the GUI, using some SQL. | |||
ssh [/cdn-cgi/l/email-protection <nowiki>[email protected]</nowiki>] | |||
cd /etc | |||
sudo sqlite3 synoautoblock.db | |||
delete from AutoBlockIP where Deny=0; | |||
That clears the "allow" list (because Deny=0) and then I was able to reload it. | |||
== EdgeRouter == | |||
For complete notes on the primary firewall, see [[Network configuration]] | |||
== My own python firewall scripts == | |||
Right now this is what I came up with. It is as simple a set up as I could cook up and still get the job done. The code lives in my git server. The repo is '''bellman.wildsong.biz:/green/repositories/vastra.git''' | |||
'''/etc/network/install_firewall.sh''' -- is a script that runs everything else from "up /etc/network/install_firewall.sh" in interfaces. | |||
The default policy on INPUT is set to DROP by this script so that only whitelisted traffic is allowed through -- it also has a couple custom rules to allow other traffic. Normally SSH is via admin whitelist only, but a special rule in here can open it up for more remote access for development or for access to my personal servers. | |||
''' | |||
/etc/network/firewall''' contains files with whitelisted thing in it. | |||
* admin.txt - anything listed here gets unfiltered access. | |||
* sip.txt - anything here gets UDP 5060 access and UDP 10000-20000 access | |||
* twilio_sip.txt - TCP/UDP 5060:5061 access ahead of fail2ban | |||
* twilio_media.txt - gets mixed with sip.txt and used for RTP acccess | |||
* sms.tzt - will be an admin whitelist updateable from a phone text message | |||
* web.txt - will be a sip/media whitelist updateable from a web page | |||
'''/usr/local/sbin/add_subchains.py''' -- runs when the network is brought up. Adds our subchains to uptables | |||
and inserts them as targets in INPUT chain. | |||
'''/usr/local/sbin/update_firewall.py''' -- reads the firewall text files and generates shell scripts in /etc/network that will | |||
be run from install_firewall.sh at boot time (and whenever needed) to load up all the subchains. Runs the scripts too. | |||
My idea is to run update_firewall.py from inotify whenever a file in /etc/network/firewall is edited. That way you can either drop a new file in there or you can just edit it over a Samba connection and it will update the firewall when you save the file. | |||
Or some web thing or SMS thing can update files and the same update process is fired. | |||
== IPTables tutorial == | |||
https://blog.ipredator.se/linux-firewall-howto.html | |||
== Firewall management software == | |||
How about just starting with a simple whitelist / blacklist? | |||
Some fancier options include | |||
* "firewall builder" | |||
* shorewall seems more complicated than learning iptables | |||
* arno-iptables-firewall | * arno-iptables-firewall | ||
* pyroman uses config files written in Python | * pyroman uses config files written in Python (ick) | ||
=== Whitelists === | |||
http://www.powerpbx.org/content/simple-iptables-firewall-whitelist-blacklist-v1 | |||
touch /usr/local/etc/whitelist.txt | |||
touch /usr/local/etc/blacklist.txt | |||
=== Firewall Builder === | |||
BUILD STILL FAILS - this thing is obviously way too complicated for my needs. | |||
Prerequisites, figuring this out is a thankless task | |||
apt-get install qt4-dev-tools libxslt-dev ucd-snmp | |||
Download source from SourceForge | |||
./autogen.sh | |||
./configure | |||
make | |||
# ...ignoring a million warning messages | |||
=== Shorewall === | |||
Instructions for installation are at http://www.shorewall.net/Install.htm | |||
wget http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.1/shorewall-core-5.0.1.1.tg | |||
wget http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.1/shorewall-5.0.1.1.tgz | |||
tar xzvf shorewall-core-5.0.1.1.tgz | |||
tar xzvf shorewall-5.0.1.1.tgz | |||
cd shorewall-core-5.0.1.1 | |||
cp shorewallrc.debian.systemd shorewallrc | |||
sudo install.sh | |||
cd .. | |||
cd shorewall-5.0.1.1 | |||
cp shorewallrc.debian.systemd shorewallrc | |||
sudo install.sh | |||
/sbin/shorewall version | |||
Now if you go connect to Webmin you should see this version of Shorewall under "Network". | |||
[[Category: System Administration]] [[Category: Network]] | [[Category: System Administration]] [[Category: Network]] | ||
Latest revision as of 18:10, 23 February 2023
Currently I have a two tier system (at home).
The Ubiquiti Edgerouter forwards outside traffic to Bellman for selected services (ssh, http, https, sip) and then the firewall (iptables) on Bellman decides what to reject. Currently I am on Spectrum residential service so I don't run any public services because that would be a violation of the service agreement.
I allow access from selected outside sites as needed, for example currently that would be Twilio for SIP service and Clatsop County so that I can access my home server from work.
I tried a bunch of free scripts and ended up writing my own.
IP databases
I found this web site to create list that identify IP addresses based on location, for a few minutes I thought about using it to block traffic at TrailPeople then gave up on that as unwieldy and not particularly effective.
https://www.countryipblocks.net/acl.php
Clearing the Synology block/allow database
I needed to clear the database once I had loaded it up with the wrong allow list and did not want to do it one page at a time!!! So I found instructions here on the database itself: https://tklaassens.wordpress.com/2016/03/25/edit-synology-ip-block-list-through-ssh/
I removed the allow list then reloaded it from the GUI, using some SQL.
ssh [/cdn-cgi/l/email-protection [email protected]] cd /etc sudo sqlite3 synoautoblock.db delete from AutoBlockIP where Deny=0;
That clears the "allow" list (because Deny=0) and then I was able to reload it.
EdgeRouter
For complete notes on the primary firewall, see Network configuration
My own python firewall scripts
Right now this is what I came up with. It is as simple a set up as I could cook up and still get the job done. The code lives in my git server. The repo is bellman.wildsong.biz:/green/repositories/vastra.git
/etc/network/install_firewall.sh -- is a script that runs everything else from "up /etc/network/install_firewall.sh" in interfaces. The default policy on INPUT is set to DROP by this script so that only whitelisted traffic is allowed through -- it also has a couple custom rules to allow other traffic. Normally SSH is via admin whitelist only, but a special rule in here can open it up for more remote access for development or for access to my personal servers. /etc/network/firewall contains files with whitelisted thing in it.
- admin.txt - anything listed here gets unfiltered access.
- sip.txt - anything here gets UDP 5060 access and UDP 10000-20000 access
- twilio_sip.txt - TCP/UDP 5060:5061 access ahead of fail2ban
- twilio_media.txt - gets mixed with sip.txt and used for RTP acccess
- sms.tzt - will be an admin whitelist updateable from a phone text message
- web.txt - will be a sip/media whitelist updateable from a web page
/usr/local/sbin/add_subchains.py -- runs when the network is brought up. Adds our subchains to uptables and inserts them as targets in INPUT chain.
/usr/local/sbin/update_firewall.py -- reads the firewall text files and generates shell scripts in /etc/network that will be run from install_firewall.sh at boot time (and whenever needed) to load up all the subchains. Runs the scripts too.
My idea is to run update_firewall.py from inotify whenever a file in /etc/network/firewall is edited. That way you can either drop a new file in there or you can just edit it over a Samba connection and it will update the firewall when you save the file.
Or some web thing or SMS thing can update files and the same update process is fired.
IPTables tutorial
https://blog.ipredator.se/linux-firewall-howto.html
Firewall management software
How about just starting with a simple whitelist / blacklist?
Some fancier options include
- "firewall builder"
- shorewall seems more complicated than learning iptables
- arno-iptables-firewall
- pyroman uses config files written in Python (ick)
Whitelists
http://www.powerpbx.org/content/simple-iptables-firewall-whitelist-blacklist-v1
touch /usr/local/etc/whitelist.txt touch /usr/local/etc/blacklist.txt
Firewall Builder
BUILD STILL FAILS - this thing is obviously way too complicated for my needs.
Prerequisites, figuring this out is a thankless task
apt-get install qt4-dev-tools libxslt-dev ucd-snmp
Download source from SourceForge
./autogen.sh ./configure make # ...ignoring a million warning messages
Shorewall
Instructions for installation are at http://www.shorewall.net/Install.htm
wget http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.1/shorewall-core-5.0.1.1.tg wget http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.1/shorewall-5.0.1.1.tgz
tar xzvf shorewall-core-5.0.1.1.tgz tar xzvf shorewall-5.0.1.1.tgz cd shorewall-core-5.0.1.1 cp shorewallrc.debian.systemd shorewallrc sudo install.sh cd .. cd shorewall-5.0.1.1 cp shorewallrc.debian.systemd shorewallrc sudo install.sh /sbin/shorewall version
Now if you go connect to Webmin you should see this version of Shorewall under "Network".
