Firewall: Difference between revisions
Brian Wilson (talk | contribs) mNo edit summary |
Brian Wilson (talk | contribs) mNo edit summary |
||
| Line 1: | Line 1: | ||
I already have webmin and fail2ban installed and working, just need an easy way to build and maintain a whitelist. And I need it today. | I already have webmin and fail2ban installed and working, just need an easy way to build and maintain a whitelist. And I need it today. I tried a bunch of scripts and such and ended up writing my own. | ||
== Python scripts == | |||
Right now this is what I came up with. It is as simple a set up as I could cook up and still get the job done. | |||
'''/etc/network/install_firewall.sh''' -- is a script that runs everything else from "up /etc/network/install_firewall.sh" in interfaces. | |||
The default policy on INPUT is set to DROP by this script so that only whitelisted traffic is allowed through -- it also has a couple custom rules to allow other traffic. Normally SSH is via admin whitelist only, but a special rule in here can open it up for more remote access for development or for access to my personal servers. | |||
''' | |||
/etc/network/firewall''' contains files with whitelisted thing in it. | |||
* admin.txt - anything listed here gets unfiltered access. | |||
* sip.txt - anything here gets UDP 5060 access and UDP 10000-20000 access | |||
* twilio_sip.txt - TCP/UDP 5060:5061 access ahead of fail2ban | |||
* twilio_media.txt - gets mixed with sip.txt and used for RTP acccess | |||
* sms.tzt - will be an admin whitelist updateable from a phone text message | |||
* web.txt - will be a sip/media whitelist updateable from a web page | |||
'''/usr/local/sbin/add_subchains.py''' -- runs when the network is brought up. Adds our subchains to uptables | |||
and inserts them as targets in INPUT chain. | |||
'''/usr/local/sbin/update_firewall.py''' -- reads the firewall text files and generates shell scripts in /etc/network that will | |||
be run from install_firewall.sh at boot time (and whenever needed) to load up all the subchains. Runs the scripts too. | |||
My idea is to run update_firewall.py from inotify whenever a file in /etc/network/firewall is edited. That way you can either drop a new file in there or you can just edit it over a Samba connection and it will update the firewall when you save the file. | |||
Or some web thing or SMS thing can update files and the same update process is fired. | |||
== IPTables tutorial == | == IPTables tutorial == | ||
Revision as of 01:20, 8 December 2015
I already have webmin and fail2ban installed and working, just need an easy way to build and maintain a whitelist. And I need it today. I tried a bunch of scripts and such and ended up writing my own.
Python scripts
Right now this is what I came up with. It is as simple a set up as I could cook up and still get the job done.
/etc/network/install_firewall.sh -- is a script that runs everything else from "up /etc/network/install_firewall.sh" in interfaces. The default policy on INPUT is set to DROP by this script so that only whitelisted traffic is allowed through -- it also has a couple custom rules to allow other traffic. Normally SSH is via admin whitelist only, but a special rule in here can open it up for more remote access for development or for access to my personal servers. /etc/network/firewall contains files with whitelisted thing in it.
- admin.txt - anything listed here gets unfiltered access.
- sip.txt - anything here gets UDP 5060 access and UDP 10000-20000 access
- twilio_sip.txt - TCP/UDP 5060:5061 access ahead of fail2ban
- twilio_media.txt - gets mixed with sip.txt and used for RTP acccess
- sms.tzt - will be an admin whitelist updateable from a phone text message
- web.txt - will be a sip/media whitelist updateable from a web page
/usr/local/sbin/add_subchains.py -- runs when the network is brought up. Adds our subchains to uptables and inserts them as targets in INPUT chain.
/usr/local/sbin/update_firewall.py -- reads the firewall text files and generates shell scripts in /etc/network that will be run from install_firewall.sh at boot time (and whenever needed) to load up all the subchains. Runs the scripts too.
My idea is to run update_firewall.py from inotify whenever a file in /etc/network/firewall is edited. That way you can either drop a new file in there or you can just edit it over a Samba connection and it will update the firewall when you save the file.
Or some web thing or SMS thing can update files and the same update process is fired.
IPTables tutorial
https://blog.ipredator.se/linux-firewall-howto.html
Firewall management software
How about just starting with a simple whitelist / blacklist?
Some fancier options include
- "firewall builder"
- shorewall seems more complicated than learning iptables
- arno-iptables-firewall
- pyroman uses config files written in Python (ick)
Whitelists
http://www.powerpbx.org/content/simple-iptables-firewall-whitelist-blacklist-v1
touch /usr/local/etc/whitelist.txt touch /usr/local/etc/blacklist.txt
Firewall Builder
BUILD STILL FAILS - this thing is obviously way too complicated for my needs.
Prerequisites, figuring this out is a thankless task
apt-get install qt4-dev-tools libxslt-dev ucd-snmp
Download source from SourceForge
./autogen.sh ./configure make # ...ignoring a million warning messages
Shorewall
Instructions for installation are at http://www.shorewall.net/Install.htm
wget http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.1/shorewall-core-5.0.1.1.tg wget http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.1/shorewall-5.0.1.1.tgz
tar xzvf shorewall-core-5.0.1.1.tgz tar xzvf shorewall-5.0.1.1.tgz cd shorewall-core-5.0.1.1 cp shorewallrc.debian.systemd shorewallrc sudo install.sh cd .. cd shorewall-5.0.1.1 cp shorewallrc.debian.systemd shorewallrc sudo install.sh /sbin/shorewall version
Now if you go connect to Webmin you should see this version of Shorewall under "Network".
