Firewall: Difference between revisions
Brian Wilson (talk | contribs) |
Brian Wilson (talk | contribs) |
||
Line 13: | Line 13: | ||
2019-02-14 Ports 80,443 and 8080-9300 now forward to Bellman for testing. Bellman's firewall normally restricts access per Spectrum | 2019-02-14 Ports 80,443 and 8080-9300 now forward to Bellman for testing. Bellman's firewall normally restricts access per Spectrum | ||
residential rules but can be momentarily switched off in /etc/network/start_firewall.sh to allow Let's Encrypt updates. | residential rules but can be momentarily switched off in /etc/network/start_firewall.sh to allow Let's Encrypt updates. | ||
See [[Network configuration]] | |||
== My own python firewall scripts == | == My own python firewall scripts == |
Revision as of 17:51, 14 February 2019
Currently I have a two tier system (at home).
The Ubiquiti Edgerouter forwards outside traffic to Bellman for selected services (ssh, http, https, sip) and then the firewall (iptables) on Bellman decides what to reject. Currently I am on Spectrum residential service so I don't run any public services because that would be a violation of the service agreement.
I allow access from selected outside sites as needed, for example currently that would be Twilio for SIP service and Clatsop County so that I can access my home server from work.
I tried a bunch of free scripts and ended up writing my own.
EdgeRouter
2019-02-14 Ports 80,443 and 8080-9300 now forward to Bellman for testing. Bellman's firewall normally restricts access per Spectrum residential rules but can be momentarily switched off in /etc/network/start_firewall.sh to allow Let's Encrypt updates.
My own python firewall scripts
Right now this is what I came up with. It is as simple a set up as I could cook up and still get the job done. The code lives in my git server. The repo is bellman.wildsong.biz:/green/repositories/vastra.git
/etc/network/install_firewall.sh -- is a script that runs everything else from "up /etc/network/install_firewall.sh" in interfaces. The default policy on INPUT is set to DROP by this script so that only whitelisted traffic is allowed through -- it also has a couple custom rules to allow other traffic. Normally SSH is via admin whitelist only, but a special rule in here can open it up for more remote access for development or for access to my personal servers. /etc/network/firewall contains files with whitelisted thing in it.
- admin.txt - anything listed here gets unfiltered access.
- sip.txt - anything here gets UDP 5060 access and UDP 10000-20000 access
- twilio_sip.txt - TCP/UDP 5060:5061 access ahead of fail2ban
- twilio_media.txt - gets mixed with sip.txt and used for RTP acccess
- sms.tzt - will be an admin whitelist updateable from a phone text message
- web.txt - will be a sip/media whitelist updateable from a web page
/usr/local/sbin/add_subchains.py -- runs when the network is brought up. Adds our subchains to uptables and inserts them as targets in INPUT chain.
/usr/local/sbin/update_firewall.py -- reads the firewall text files and generates shell scripts in /etc/network that will be run from install_firewall.sh at boot time (and whenever needed) to load up all the subchains. Runs the scripts too.
My idea is to run update_firewall.py from inotify whenever a file in /etc/network/firewall is edited. That way you can either drop a new file in there or you can just edit it over a Samba connection and it will update the firewall when you save the file.
Or some web thing or SMS thing can update files and the same update process is fired.
IPTables tutorial
https://blog.ipredator.se/linux-firewall-howto.html
Firewall management software
How about just starting with a simple whitelist / blacklist?
Some fancier options include
- "firewall builder"
- shorewall seems more complicated than learning iptables
- arno-iptables-firewall
- pyroman uses config files written in Python (ick)
Whitelists
http://www.powerpbx.org/content/simple-iptables-firewall-whitelist-blacklist-v1
touch /usr/local/etc/whitelist.txt touch /usr/local/etc/blacklist.txt
Firewall Builder
BUILD STILL FAILS - this thing is obviously way too complicated for my needs.
Prerequisites, figuring this out is a thankless task
apt-get install qt4-dev-tools libxslt-dev ucd-snmp
Download source from SourceForge
./autogen.sh ./configure make # ...ignoring a million warning messages
Shorewall
Instructions for installation are at http://www.shorewall.net/Install.htm
wget http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.1/shorewall-core-5.0.1.1.tg wget http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.1/shorewall-5.0.1.1.tgz
tar xzvf shorewall-core-5.0.1.1.tgz tar xzvf shorewall-5.0.1.1.tgz cd shorewall-core-5.0.1.1 cp shorewallrc.debian.systemd shorewallrc sudo install.sh cd .. cd shorewall-5.0.1.1 cp shorewallrc.debian.systemd shorewallrc sudo install.sh /sbin/shorewall version
Now if you go connect to Webmin you should see this version of Shorewall under "Network".