Firewall for Linux with a simple interface
A firewall is a bash script that integrates the following functions using the appropriate packages:
The script is the result of many years of work and claims to be universal - it allows you to use a Linux machine as an Internet gateway for both a small office and a large enterprise (currently it is used in five enterprises and in one remote office - CentOS stands everywhere) .
The script requires for its work the presence of at least two network interfaces - one of which is external , and the others are considered internal . The external interface is set to the EXTIF variable and is determined automatically if this variable is not set.
Another requirement is that all interfaces must have static addresses, i.e. interfaces can receive them dynamically, but the addresses must always be the same. This requirement arises from the fact that the iptables rules use the IP addresses of the interfaces. Rules are generated and applied on the basis of the fwtraf.conf configuration file with the command " fwtraf fwnormal " and saved with the command " fwtraf fwsave ". Those. if the IP addresses of the interfaces have changed, you will need to apply the rules again (and save them if you want them to act after the reboot).
The source NAT and web proxy modes of operation can be combined:
The script supports several local networks ( LANS variable) - they are separated by a space:
LANS = "192.168.0.0/24 10.0.0.0/8"
It also supports remote local networks - for example, local area networks of offices connected via VPN technologies (variable REMOTE_LANS ):
REMOTE_LANS = "192.168.1.0/24 192.168.3.0/24 192.168.5.0/24"
The script has a simple configuration file:
')
It lists static IP addresses and computer names of users who:
Ports ( PORTS column):
If a content filter is used (WEBPROXY = "DGSQUID") and the user is allowed web ports , then the web access group is applied to it (the WA column is short for " W eb A ccess").
So-called forwarding of external interface ports to internal IP addresses of local networks (destination NAT) is very simple. This is convenient when the SNAT mode is enabled on the gateway and local networks from the Internet are not available. For example, let's allow the administrator to access the Internet from the computer (web and ftp traffic) and still allow it to connect from the Internet via RDP to the external IP address of the gateway, and the gateway will redirect the rdp traffic to his computer:
a 192.168.1.240 pc30 0 web, ftp, rdp-rdp # Admin
I also note that the forwarded ports do not have to match - for example, you can listen to port 2525 on an external IP, and forward it to the 25th port of the mail server located inside the local network:
a 192.168.1.2 mail 0 2525-25 # Mail Server
The script also creates daily html traffic reports and updates them hourly :
And another small bonus - after installing the firewall, Logwatch’s daily reports will show entries about IP addresses exceeding the CONN_LIMIT connection limits . Thus, you will always know who has increased interest in your server:
- iptables firewall Begin ------------------------
Logged 24 packets on interface eth0
From 10.7.57.22 - 21 packets to tcp (110)
From 10.16.63.206 - 3 packets to tcp (110)
Logged 5367 packets on interface eth1
From 72.53.179.125 to 5297 packets to tcp (110)
From 193.255.130.19 - 2 packets to tcp (25)
From 217.175.23.3 - 68 packets to tcp (25)
- iptables firewall End -------------------------
Installation
1. Download the firewall script and put it in / bin / :
wget --no-check-certificate sites.google.com/site/smkuzmin/home/fwtraf/fwtraf -O fwtraf
mv fwtraf / bin /
chmod 755 / bin / fwtraf
2. Download the firewall configuration file and put it in / etc / fwtraf / :
wget --no-check-certificate sites.google.com/site/smkuzmin/home/fwtraf/fwtraf.conf -O fwtraf.conf
mkdir / etc / fwtraf
mv fwtraf.conf / etc / fwtraf /
3. Download the file for the Cron Task Scheduler and put it in /etc/cron.d/ :
wget --no-check-certificate sites.google.com/site/smkuzmin/home/fwtraf/fwtraf.cron -O fwtraf.cron
mv fwtraf.cron /etc/cron.d/
4. Turn off the iptables service and add firewall initialization on every boot:
chkconfig iptables off
chkconfig ip6tables off
echo >> / etc / rc.d / rc.local / bin / fwtraf fwinit
5. Read the file /etc/fwtraf/fwtraf.conf and edit it in accordance with
their needs.
6. After editing fwtraf.conf , we apply the firewall rules:
fwtraf fwnormal - normal (working) mode.
7. Check the work of the firewall, and if everything suits, save the rules:
fwtraf fwsave - all rules are saved and valid after a reboot.
There is a mode with a minimum set of rules:
fwtraf fwsimple - simple mode, personal rules do not apply, everything is allowed.
The remaining commands can be found out like this:
fwtraf - help on commands.
To enable support for working with BIND ( note: DNS zones will be pre-recorded! ), Uncomment the line c " DNSROOTDIR = ..." in / bin / fwtraf .
- Firewall external and internal ( iptables package).
- Accounting for external and internal traffic ( iptables package).
- Proxy server for local networks ( Squid package).
- Content filter for local networks ( DansGuardian package).
- DNS server for local area networks ( BIND package).
The script is the result of many years of work and claims to be universal - it allows you to use a Linux machine as an Internet gateway for both a small office and a large enterprise (currently it is used in five enterprises and in one remote office - CentOS stands everywhere) .
The script requires for its work the presence of at least two network interfaces - one of which is external , and the others are considered internal . The external interface is set to the EXTIF variable and is determined automatically if this variable is not set.
Another requirement is that all interfaces must have static addresses, i.e. interfaces can receive them dynamically, but the addresses must always be the same. This requirement arises from the fact that the iptables rules use the IP addresses of the interfaces. Rules are generated and applied on the basis of the fwtraf.conf configuration file with the command " fwtraf fwnormal " and saved with the command " fwtraf fwsave ". Those. if the IP addresses of the interfaces have changed, you will need to apply the rules again (and save them if you want them to act after the reboot).
The source NAT and web proxy modes of operation can be combined:
- source NAT: off (SNAT = "")
- source NAT: on (SNAT = "YES").
- web proxy: off (WEBPROXY = "")
- Web proxy: Squid (WEBPROXY = "SQUID").
- web proxy: DansGuardian-> Squid (WEBPROXY = "DGSQUID").
The script supports several local networks ( LANS variable) - they are separated by a space:
LANS = "192.168.0.0/24 10.0.0.0/8"
It also supports remote local networks - for example, local area networks of offices connected via VPN technologies (variable REMOTE_LANS ):
REMOTE_LANS = "192.168.1.0/24 192.168.3.0/24 192.168.5.0/24"
The script has a simple configuration file:
')
It lists static IP addresses and computer names of users who:
- allowed (command a - short for " a llow")
- prohibited (command d - short for " d eny")
Ports ( PORTS column):
- one or more TCP ports separated by commas: web, ftp .
- all TCP ports except, for example, smtp :! smtp .
- all TCP and UDP ports: all .
If a content filter is used (WEBPROXY = "DGSQUID") and the user is allowed web ports , then the web access group is applied to it (the WA column is short for " W eb A ccess").
So-called forwarding of external interface ports to internal IP addresses of local networks (destination NAT) is very simple. This is convenient when the SNAT mode is enabled on the gateway and local networks from the Internet are not available. For example, let's allow the administrator to access the Internet from the computer (web and ftp traffic) and still allow it to connect from the Internet via RDP to the external IP address of the gateway, and the gateway will redirect the rdp traffic to his computer:
a 192.168.1.240 pc30 0 web, ftp, rdp-rdp # Admin
I also note that the forwarded ports do not have to match - for example, you can listen to port 2525 on an external IP, and forward it to the 25th port of the mail server located inside the local network:
a 192.168.1.2 mail 0 2525-25 # Mail Server
The script also creates daily html traffic reports and updates them hourly :
And another small bonus - after installing the firewall, Logwatch’s daily reports will show entries about IP addresses exceeding the CONN_LIMIT connection limits . Thus, you will always know who has increased interest in your server:
- iptables firewall Begin ------------------------
Logged 24 packets on interface eth0
From 10.7.57.22 - 21 packets to tcp (110)
From 10.16.63.206 - 3 packets to tcp (110)
Logged 5367 packets on interface eth1
From 72.53.179.125 to 5297 packets to tcp (110)
From 193.255.130.19 - 2 packets to tcp (25)
From 217.175.23.3 - 68 packets to tcp (25)
- iptables firewall End -------------------------
Installation
1. Download the firewall script and put it in / bin / :
wget --no-check-certificate sites.google.com/site/smkuzmin/home/fwtraf/fwtraf -O fwtraf
mv fwtraf / bin /
chmod 755 / bin / fwtraf
2. Download the firewall configuration file and put it in / etc / fwtraf / :
wget --no-check-certificate sites.google.com/site/smkuzmin/home/fwtraf/fwtraf.conf -O fwtraf.conf
mkdir / etc / fwtraf
mv fwtraf.conf / etc / fwtraf /
3. Download the file for the Cron Task Scheduler and put it in /etc/cron.d/ :
wget --no-check-certificate sites.google.com/site/smkuzmin/home/fwtraf/fwtraf.cron -O fwtraf.cron
mv fwtraf.cron /etc/cron.d/
4. Turn off the iptables service and add firewall initialization on every boot:
chkconfig iptables off
chkconfig ip6tables off
echo >> / etc / rc.d / rc.local / bin / fwtraf fwinit
5. Read the file /etc/fwtraf/fwtraf.conf and edit it in accordance with
their needs.
6. After editing fwtraf.conf , we apply the firewall rules:
fwtraf fwnormal - normal (working) mode.
7. Check the work of the firewall, and if everything suits, save the rules:
fwtraf fwsave - all rules are saved and valid after a reboot.
There is a mode with a minimum set of rules:
fwtraf fwsimple - simple mode, personal rules do not apply, everything is allowed.
The remaining commands can be found out like this:
fwtraf - help on commands.
To enable support for working with BIND ( note: DNS zones will be pre-recorded! ), Uncomment the line c " DNSROOTDIR = ..." in / bin / fwtraf .
Source: https://habr.com/ru/post/146116/
All Articles