Firewall: Difference between revisions

From Wildsong
Jump to navigationJump to search
Brian Wilson (talk | contribs)
mNo edit summary
Brian Wilson (talk | contribs)
 
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
I already have webmin and fail2ban installed and working, just need an easy way to build and maintain a whitelist. And I need it today.
Currently I have a two tier system (at home).
 
The Ubiquiti Edgerouter forwards outside traffic to [[Bellman]] for selected services (ssh, http, https, sip)
and then the firewall (iptables) on Bellman decides what to reject. Currently I am on Spectrum residential service so I don't run any public services because that would be a violation of the service agreement.
 
I allow access from selected outside sites as needed, for example currently that would be
Twilio for SIP service and Clatsop County so that I can access my home server from work.
 
I tried a bunch of free scripts and ended up writing my own.
 
== IP databases ==
 
I found this web site to create list that identify IP addresses based on location,
for a few minutes I thought about using it to block traffic at TrailPeople then gave up on that as
unwieldy and not particularly effective.
 
https://www.countryipblocks.net/acl.php
 
=== Clearing the Synology block/allow database ===
 
I needed to clear the database once I had loaded it up with the wrong allow list and did not want to do it one page at a time!!! So I found instructions here on the database itself:
https://tklaassens.wordpress.com/2016/03/25/edit-synology-ip-block-list-through-ssh/
 
I removed the allow list then reloaded it from the GUI, using some SQL.
 
ssh [/cdn-cgi/l/email-protection <nowiki>[email protected]</nowiki>]
cd /etc
sudo sqlite3 synoautoblock.db
delete from AutoBlockIP where Deny=0;
 
That clears the "allow" list (because Deny=0) and then I was able to reload it.
 
== EdgeRouter ==
 
For complete notes on the primary firewall, see [[Network configuration]]
 
== My own python firewall scripts ==
 
Right now this is what I came up with. It is as simple a set up as I could cook up and still get the job done. The code lives in my git server. The repo is '''bellman.wildsong.biz:/green/repositories/vastra.git'''
 
'''/etc/network/install_firewall.sh''' -- is a script that runs everything else from "up /etc/network/install_firewall.sh" in interfaces.
The default policy on INPUT is set to DROP by this script so that only whitelisted traffic is allowed through -- it also has a couple custom rules to allow other traffic. Normally SSH is via admin whitelist only, but a special rule in here can open it up for more remote access for development or for access to my personal servers.
'''
/etc/network/firewall''' contains files with whitelisted thing in it.
 
* admin.txt - anything listed here gets unfiltered access.
* sip.txt - anything here gets UDP 5060 access and UDP 10000-20000 access
* twilio_sip.txt - TCP/UDP 5060:5061 access ahead of fail2ban
* twilio_media.txt - gets mixed with sip.txt and used for RTP acccess
* sms.tzt - will be an admin whitelist updateable from a phone text message
* web.txt - will be a sip/media whitelist updateable from a web page
 
'''/usr/local/sbin/add_subchains.py''' -- runs when the network is brought up. Adds our subchains to uptables
and inserts them as targets in INPUT chain.
 
'''/usr/local/sbin/update_firewall.py''' -- reads the firewall text files and generates shell scripts in /etc/network that will
be run from install_firewall.sh at boot time (and whenever needed) to load up all the subchains. Runs the scripts too.
 
My idea is to run update_firewall.py from inotify whenever a file in /etc/network/firewall is edited. That way you can either drop a new file in there or you can just edit it over a Samba connection and it will update the firewall when you save the file.
 
Or some web thing or SMS thing can update files and the same update process is fired.


== IPTables tutorial ==
== IPTables tutorial ==

Latest revision as of 18:10, 23 February 2023

Currently I have a two tier system (at home).

The Ubiquiti Edgerouter forwards outside traffic to Bellman for selected services (ssh, http, https, sip) and then the firewall (iptables) on Bellman decides what to reject. Currently I am on Spectrum residential service so I don't run any public services because that would be a violation of the service agreement.

I allow access from selected outside sites as needed, for example currently that would be Twilio for SIP service and Clatsop County so that I can access my home server from work.

I tried a bunch of free scripts and ended up writing my own.

IP databases

I found this web site to create list that identify IP addresses based on location, for a few minutes I thought about using it to block traffic at TrailPeople then gave up on that as unwieldy and not particularly effective.

https://www.countryipblocks.net/acl.php

Clearing the Synology block/allow database

I needed to clear the database once I had loaded it up with the wrong allow list and did not want to do it one page at a time!!! So I found instructions here on the database itself: https://tklaassens.wordpress.com/2016/03/25/edit-synology-ip-block-list-through-ssh/

I removed the allow list then reloaded it from the GUI, using some SQL.

ssh [/cdn-cgi/l/email-protection [email protected]]
cd /etc
sudo sqlite3 synoautoblock.db
delete from AutoBlockIP where Deny=0;

That clears the "allow" list (because Deny=0) and then I was able to reload it.

EdgeRouter

For complete notes on the primary firewall, see Network configuration

My own python firewall scripts

Right now this is what I came up with. It is as simple a set up as I could cook up and still get the job done. The code lives in my git server. The repo is bellman.wildsong.biz:/green/repositories/vastra.git

/etc/network/install_firewall.sh -- is a script that runs everything else from "up /etc/network/install_firewall.sh" in interfaces. The default policy on INPUT is set to DROP by this script so that only whitelisted traffic is allowed through -- it also has a couple custom rules to allow other traffic. Normally SSH is via admin whitelist only, but a special rule in here can open it up for more remote access for development or for access to my personal servers. /etc/network/firewall contains files with whitelisted thing in it.

  • admin.txt - anything listed here gets unfiltered access.
  • sip.txt - anything here gets UDP 5060 access and UDP 10000-20000 access
  • twilio_sip.txt - TCP/UDP 5060:5061 access ahead of fail2ban
  • twilio_media.txt - gets mixed with sip.txt and used for RTP acccess
  • sms.tzt - will be an admin whitelist updateable from a phone text message
  • web.txt - will be a sip/media whitelist updateable from a web page

/usr/local/sbin/add_subchains.py -- runs when the network is brought up. Adds our subchains to uptables and inserts them as targets in INPUT chain.

/usr/local/sbin/update_firewall.py -- reads the firewall text files and generates shell scripts in /etc/network that will be run from install_firewall.sh at boot time (and whenever needed) to load up all the subchains. Runs the scripts too.

My idea is to run update_firewall.py from inotify whenever a file in /etc/network/firewall is edited. That way you can either drop a new file in there or you can just edit it over a Samba connection and it will update the firewall when you save the file.

Or some web thing or SMS thing can update files and the same update process is fired.

IPTables tutorial

https://blog.ipredator.se/linux-firewall-howto.html

Firewall management software

How about just starting with a simple whitelist / blacklist?

Some fancier options include

  • "firewall builder"
  • shorewall seems more complicated than learning iptables
  • arno-iptables-firewall
  • pyroman uses config files written in Python (ick)

Whitelists

http://www.powerpbx.org/content/simple-iptables-firewall-whitelist-blacklist-v1

touch /usr/local/etc/whitelist.txt
touch /usr/local/etc/blacklist.txt

Firewall Builder

BUILD STILL FAILS - this thing is obviously way too complicated for my needs.

Prerequisites, figuring this out is a thankless task

apt-get install qt4-dev-tools libxslt-dev ucd-snmp

Download source from SourceForge

./autogen.sh
./configure
make
# ...ignoring a million warning messages

Shorewall

Instructions for installation are at http://www.shorewall.net/Install.htm

wget http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.1/shorewall-core-5.0.1.1.tg
wget http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.1/shorewall-5.0.1.1.tgz
tar xzvf shorewall-core-5.0.1.1.tgz
tar xzvf shorewall-5.0.1.1.tgz
cd shorewall-core-5.0.1.1
cp shorewallrc.debian.systemd shorewallrc
sudo install.sh
cd ..
cd shorewall-5.0.1.1
cp shorewallrc.debian.systemd shorewallrc
sudo install.sh
/sbin/shorewall version


Now if you go connect to Webmin you should see this version of Shorewall under "Network".