Craig Zeller's Firewall Scripts

Iptables Firewalls

The ipchains firewall scripts available on this site are now seriously out of date. Bob Sully of the Simi/Conejo Linux Users Group (SCLUG) has translated my ipchains script to iptables with his own additions and improvements. His iptables scripts are available on his website at <http://www/malibyte.net/iptables/scripts/fwscripts.html>. You will also find his paper on "IPTables Firewalling" at <http://www.malibyte.net/iptables/iptables.html>.

Simon Edwards' Guarddog Firewall

I now recommend and use Simon Edwards' "Guarddog" iptables firewall in combination with his "Guidedog" IP Routing/Masquerading GUI. Both tools have a KDE2 or KDE3 GUI interface that is quite simple to understand and configure. I would encourage all who are running 2.4.x kernels, and who don't care for hand editing firewall rules to consider using these great tools. Installation of Guarddog and Guidedog takes only a few minutes on a Redhat or Redhat-compatible RPM distribution. The software can be found at <http://www.simonzone.com/>.



The following is lifted verbatim from my old ipchains firewall script page, and was for Redhat 6.x, so is now very long in the tooth. I am working to update my scripts for those that continue to need to run ipchains scripts, and will also post my own iptables translations of my scripts, but as I stated above, this is now very old news. - Craig Zeller

Linux Firewall Configuration

There are new firewall scripts available for download. Unlike the old 'rc.firewall' and 'rc.local' scripts, these are relatively easy to install and configure. The firewall rules are now configured by a script run by the System V Init package, which allows an easy-to-access mechanism for starting, stopping, or restarting the firewall. The scripts have been built for RedHat distributions using either 'ipfwadm' (v5.0 - v5.2), or 'ipchains' (v6.0+). The configuration file is common to both, and should ease the upgrade process.

The firewall script now contains most of the common configurations. Features are configured by editing a simple file, /etc/firewall.conf, and selecting which protocols you wish to allow through the firewall. This file also contains the definitions of the interface names (ex: eth0, eth1) and their respective IP addresses. Some initial work has been done to accommodate DHCP configuration of the firewall's external IP address, but this has not been completed as of this writing.

Installation

If you are using my old scripts, or any other scripts started by /etc/rc.d/rc.local, you will need to edit the rc.local file to disable them. The new method does not invoke the script from rc.local as it starts very late in the boot process, leaving a opening for an attacker to gain access to the system before the rules have been configured.

If you are running RedHat 5.1 or 5.2, you will need to revert to a prior version of 'ipfwadm', as the one that came with 5.1 and 5.2 (ipfwadm-2.3.0-6) is broken. It is unable to expand the macros used in the configuration files and scripts, and so, must be replaced with the version that came with RedHat 5.0 (ipfwadm-2.3.0-5). To install the older version, download it from the link below, or obtain it from a RedHat 5.0 CD in /mnt/cdrom/RedHat/RPMS/ipfwadm-2.3.0-5.i386.rpm. Execute the following command as root:

rpm -Uvh --oldpackage ipfwadm-2.3.0-5.i386.rpm

Once this is completed, download the remaining files into a convenient directory. Copy the appropriate firewall script (either ipfwadm or ipchains version) to /etc/rc.d/init.d/firewall and give it the proper permissions and ownership. You need to be root to do this:

If you're running RedHat 6.0 or later, you'll need the 'ipchains' version:

cp firewall.ipchains /etc/rc.d/init.d/firewall

Otherwise, if you're running Redhat 5.0 through 5.1, you need the 'ipfwadm' version:

cp firewall.ipfwadm /etc/rc.d/init.d/firewall

Now set the ownership and permissions:

chown root.root /etc/rc.d/init.d/firewall
chmod 750 /etc/rc.d/init.d/firewall

Use the 'chkconfig' command to create the links for the various run levels. We want the firewall to run in levels 3, 4 and 5, but not in levels 0, 1, 2 or 6:

chkconfig --level 345 firewall on
chkconfig --level 0126 firewall off

Now check that it has been properly configured:

chkconfig --list firewall

which should respond with:

firewall 0:off 1:off 2:0ff 3:on 4:on 5:on 6:off

Configuration File

Copy the 'firewall.conf' file to /etc and set ownership to root.root and permissions to 640 (-rw-r-----):

cp firewall.conf /etc/
chown root.root /etc/firewall.conf
chmod 640 /etc/firewall.conf

Edit /etc/firewall.conf to reflect the parameters of your particular installation. In particular, be sure to set the device names (eth0, eth1?) of the external and internal interfaces as well as their respective IP addresses.

Edit the remainder of the file to enable (1) or disable (0) the particular protocols that you wish to allow through the firewall. The sample file allows most client access protocols through the firewall, but all incoming requests for http, https, telnet, ftp, ssh, and smtp services are turned off.

Once this has been accomplished to your satisfaction, you can start the firewall with:

/etc/rc.d/init.d/firewall start

If the 'VERBOSE' flag has been set in /etc/firewall.conf, then messages will be output to the console during the process of configuring the rule chains indicating which protocols will be allowed.

Note that the firewall script will respond to the following commands:

/etc/rc.d/init.d/firewall start
/etc/rc.d/init.d/firewall stop
/etc/rc.d/init.d/firewall restart
/etc/rc.d/init.d/firewall status

The 'stop' command will flush the rule chains and will disable IP Masquerading and IP Forwarding as a safety precaution.

Downloads via FTP

The following files may also be obtained by anonymous-ftp from ftp.zdi.net (64.3.107.210) in /pub/Linux/firewall:

Download the new 'firewall.ipfwadm' script
Download the new 'firewall.ipchains' script
Download the new sample 'firewall.conf'
Download the ipfwadm-2.3.0-5 binary RPM
Info on the NEC 486 box

Old Version

Download my original ipfwadm 'rc.firewall' script
Download Bob Sully's ipchains 'rc.firewall' script
Download 'rc.local'
Download 'README.txt'


www.zdi.net


Home
Site Map
User Pages

My Homepage
Resume
Hobbies
    Linux
    Ham Radio
    Teletypes
    Test Equipment
    Photography
    Cooking
Recipes
Firewall Scripts


Updated Thu Apr 17, 2008.
All comments, questions, and requests to zeller@zdi.net