Help/installation

 

Some important (security) information:

1) Always first start the firewall before you enable your (ADSL) internet connection (if possible). For an ppp-interface that doesn't exist yet you can use the wildcard device called "ppp+" (but this only works if there aren't any other ppp interfaces!).

2) Don't change any (security) settings ('EXPERT SETTINGS') if you don't really understand what they mean. Changing them anyway could have a big impact on the security of your machine.

3) I get a lot of emails from people complaining that their webserver etc. stopped working after installing my firewall. This is the CORRECT behaviour for a firewall: BLOCKING ALL incoming traffic by default. If you want for example want to run an HTTP-server(port 80) and/or an SSH-server(port 22) accessible from the internet you should configure the OPEN_TCP / OPEN_UDP variables accordingly. For HTTP AND SSH it should become: OPEN_TCP="22 80" OPEN_UDP="22 80"


Quick setup

If you want to have it run quickly or are a novice user than this is the part that's important. Remember that my firewall has a lot of other useful features which will NOT be used in this way. On the other hand, various security features are enabled by default to protect you from hostile attacks.

1) First we've to check whether your Linux setup is OK in order to make the script work correctly:

- It of course requires iptables to be installed. It's recommended to get the latest version (package), if possible. This prevents any incompatibilities or bugs my script might have with older versions and the latest version contains all known (security) fixes, which strengthens the firewall itself.

- Make sure that you have a kernel with iptables compiled into it or a module-based kernel with the iptables modules installed. This is NOT possible when ipchains is still installed. If ipchains is installed (default for RedHat 7.1) you need to do "rmmod ipchains" first before running this script.

  • It requires /bin/sh (installed by default)

  • My scripts needs the following binaries in your path: ifconfig, modprobe, grep, uname, sed, date, cut.

  • The traffic shaper (rc.traffic-shaper) requires the "tc" command (from the iproute2 package).

  • If you want to enable resolving of IPs ($RESOLV_IPS) then the command 'dig' should also be available.

2) Now we need to determine whether you have a single- or dual-homed machine. Single means you ONLY have one network-interface, which is the one connected to the outside "evil" world (internet). Dual-homed also have a local subnet connected to an additional network interface.

3) Put rc.iptables & iptables-firewall.conf in the appropriate directories (see above). You probably also want to automatically start the firewall-script at system boot. There are various ways to accomplish this (depending on your distribution), here are some examples:

  • RedHat: Drop a line like "/etc/rc.d/rc.iptables start" in the file "/etc/rc.d/rc.local" (probably at or near the end). The script is also compatible with chkconfig runlevels (Redhat) Note that the script has a chkconfig-compatible header, so if you're familar with it you can use this to stop/start the script in the different runlevels. In this case don't start it from "/etc/rc.d/rc.local" but instead put the script itself in /etc/init.d/ (instead of /etc/rc.d/) and eg. run "chkconfig rc.iptables on".

  • Debian: Put rc.iptables in "/etc/init.d/" and create a softlink to it in "/etc/rcS.d/" (eg. "ln -s /etc/init.d/rc.iptables /etc/rcS.d/S99iptables")


Now we will change the required settings in "(/etc/)iptables-firewall.conf":

4) Configure your external network interfaces, EXT_IF. This is the interface which is the one connected to the internet. When you have an (dynamically) IP assigned to you (by your ISP) via DHCP, you should set "EXT_IF_DHCP_IP=1" else leave it off (0).

5) For dual-homed machines you should also configure INT_IF, the interface used for the local network. You should set your local subnet range in "INTERNAL_NET=". If you want your internal network to be able to access the internet (aka. internet-sharing), you should also enable NAT (Masquerading) by setting "NAT=1").

6) If you don't have an (A)DSL modem (which works with a PPtP connection to your machine) or you have a bridging (transparent) modem, you can continue with step 7 (You can verify this with 'ifconfig', if a ppp device with your public IP exists you should (most likely) configure the (A)DSL MODEM settings).

Now we must configure the network interface(ethX) to which your modem is physically(!) connected (=MODEM_IF, which is commented(#) out by default), and this is NOT ppp+, ppp0 etc.!

Here are some examples on how to do it for some providers (it's assumed that the modem is connected to eth0):

PPPoE connection with a static public IP (ie. MxStream in the Netherlands)
(setup with the ADSL4Linux package from http://www.adsl4linux.nl):
- MODEM_IF="eth0"
- MODEM_IF_IP="10.0.0.150"
- MODEM_IP="10.0.0.138" # Make sure this IP corresponds to the one used by your modem!
- EXT_IF_DHCP_IP=0

T-DSL (Germany) with a dynamic public IP:
- MODEM_IF="eth0"
- MODEM_IF_IP="192.168.99.1"
- MODEM_IP=""
- EXT_IF_DHCP_IP=1

PPPoA connection with a dynamic public IP (eg. Versatel Zonnet in the Netherlands):
- MODEM_IF="eth0"
- MODEM_IF_IP="" # This MUST be unset("") (default)
- MODEM_IP="10.0.0.138" # Make sure this IP corresponds to the one used by your modem!
- EXT_IF_DHCP_IP=1


Note: For extra security you *can* set the IP of your modem (MODEM_IP), but it's not neccessary (anymore). If you don't know its IP or believe it doesn't have an IP, you can leave MODEM_IP="" (default). The same applies for the IP of the modem network interface (MODEM_IF_IP). In case of a PPPoA (PPP-over-ATM) you MUST leave MODEM_IF_IP unset(="")!

7) When your public IP is assigned to you by your ISP (through DHCP) then you should enable support for an DHCP-assigned external IP by setting "EXT_IF_DHCP_IP=1".

8) You're now ready to start the firewall by issueing "/etc/rc.d/rc.iptables start" or /etc/init.d/rc.iptables start (or whatever place you put rc.iptables in). Everything should now work OK, if it doesn't, carefully review all steps and your configuration. For troubleshouting you can consult my webpage (FAQ).


NOTE: Additional (more advanced) options are (also) explained in the configuration-file comments or in the QA's on my webpage (eg. Freeswan/VPN support).

Parameters for rc.iptables:
start = Start firewall (AND reset iptables counters)
stop = Stop firewall (set default policies to accept)
restart = Restart firewall (DOES NOT reset iptables counters)
breread = Reread blocked hosts (blackhole) file
status [-t {table}] [chain] = View firewall ruleset ([chain] & [-t {table}] are optional)"