Firewall: Difference between revisions

From Wildsong
Jump to navigationJump to search
Brian Wilson (talk | contribs)
mNo edit summary
Brian Wilson (talk | contribs)
mNo edit summary
Line 8: Line 8:


I tried a bunch of free scripts and ended up writing my own.
I tried a bunch of free scripts and ended up writing my own.
2019-01-01 Trying to open up port 80 temporarily so that I can update my Let's Encrypt certificates.
It does not appear that Charter/Spectrum is currently blocking it. I test with "tcpdump -i eth0 port 80" on
the EdgeRouter and I can see hits coming in. So the problem appears to be in [[Bellman]]'s firewall.
I have a rule in there


== My own python firewall scripts ==
== My own python firewall scripts ==

Revision as of 19:38, 1 January 2019

Currently I have a two tier system (at home).

The Ubiquiti Edgerouter forwards outside traffic to Bellman for selected services (ssh, http, https, sip) and then the firewall (iptables) on Bellman decides what to reject. Currently I am on Spectrum residential service so I don't run any public services because that would be a violation of the service agreement.

I allow access from selected outside sites as needed, for example currently that would be Twilio for SIP service and Clatsop County so that I can access my home server from work.

I tried a bunch of free scripts and ended up writing my own.

2019-01-01 Trying to open up port 80 temporarily so that I can update my Let's Encrypt certificates. It does not appear that Charter/Spectrum is currently blocking it. I test with "tcpdump -i eth0 port 80" on the EdgeRouter and I can see hits coming in. So the problem appears to be in Bellman's firewall. I have a rule in there

My own python firewall scripts

Right now this is what I came up with. It is as simple a set up as I could cook up and still get the job done. The code lives in my git server. The repo is bellman.wildsong.biz:/green/repositories/vastra.git

/etc/network/install_firewall.sh -- is a script that runs everything else from "up /etc/network/install_firewall.sh" in interfaces. The default policy on INPUT is set to DROP by this script so that only whitelisted traffic is allowed through -- it also has a couple custom rules to allow other traffic. Normally SSH is via admin whitelist only, but a special rule in here can open it up for more remote access for development or for access to my personal servers. /etc/network/firewall contains files with whitelisted thing in it.

  • admin.txt - anything listed here gets unfiltered access.
  • sip.txt - anything here gets UDP 5060 access and UDP 10000-20000 access
  • twilio_sip.txt - TCP/UDP 5060:5061 access ahead of fail2ban
  • twilio_media.txt - gets mixed with sip.txt and used for RTP acccess
  • sms.tzt - will be an admin whitelist updateable from a phone text message
  • web.txt - will be a sip/media whitelist updateable from a web page

/usr/local/sbin/add_subchains.py -- runs when the network is brought up. Adds our subchains to uptables and inserts them as targets in INPUT chain.

/usr/local/sbin/update_firewall.py -- reads the firewall text files and generates shell scripts in /etc/network that will be run from install_firewall.sh at boot time (and whenever needed) to load up all the subchains. Runs the scripts too.

My idea is to run update_firewall.py from inotify whenever a file in /etc/network/firewall is edited. That way you can either drop a new file in there or you can just edit it over a Samba connection and it will update the firewall when you save the file.

Or some web thing or SMS thing can update files and the same update process is fired.

IPTables tutorial

https://blog.ipredator.se/linux-firewall-howto.html

Firewall management software

How about just starting with a simple whitelist / blacklist?

Some fancier options include

  • "firewall builder"
  • shorewall seems more complicated than learning iptables
  • arno-iptables-firewall
  • pyroman uses config files written in Python (ick)

Whitelists

http://www.powerpbx.org/content/simple-iptables-firewall-whitelist-blacklist-v1

touch /usr/local/etc/whitelist.txt
touch /usr/local/etc/blacklist.txt

Firewall Builder

BUILD STILL FAILS - this thing is obviously way too complicated for my needs.

Prerequisites, figuring this out is a thankless task

apt-get install qt4-dev-tools libxslt-dev ucd-snmp

Download source from SourceForge

./autogen.sh
./configure
make
# ...ignoring a million warning messages

Shorewall

Instructions for installation are at http://www.shorewall.net/Install.htm

wget http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.1/shorewall-core-5.0.1.1.tg
wget http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.1/shorewall-5.0.1.1.tgz
tar xzvf shorewall-core-5.0.1.1.tgz
tar xzvf shorewall-5.0.1.1.tgz
cd shorewall-core-5.0.1.1
cp shorewallrc.debian.systemd shorewallrc
sudo install.sh
cd ..
cd shorewall-5.0.1.1
cp shorewallrc.debian.systemd shorewallrc
sudo install.sh
/sbin/shorewall version


Now if you go connect to Webmin you should see this version of Shorewall under "Network".