IPKungFu easy iptables based server firewall
Wednesday, March 4, 2009 at 11:19AM IPKungFu Firewall and Basic Server setup
IPKungFu is an iptables-based Linux firewall. It aims to simplify the configuration of Internet connection sharing, port forwarding, and packet filtering. -- http://freshmeat.net/projects/ipkungfu/
IPKungFu better described as being a smart script that eases creation complex firewall rules. Creating a gateway firewall, internet sharing, or simply setting up a basic firewall are all simple tasks. By default it includes advanced logging, syn-flood protection, and port scanning protection.
photo credit: masochismtango
I am going to describe how to setup a basic server firewall with this base system as the example:
- Ubuntu Server 8.04 LTS (hardy)
- basic apt sources. (hardy main, hardy-updates main, hardy-security main)
Install
user@server# sudo apt-get install ipkungfu
Configure
open '/etc/ipkungfu/ipkungfu.conf' and change these settings:
GATEWAY=0 BLOCK_PINGS=1 #keep the ICMP port open for Nagios!! SUSPECT="DROP" #'DROP' is the same as Stealth on consumer routers KNOWN_BAD="DROP" PORT_SCAN="DROP" GET_IP="AUTO" DISALLOW_PRIVATE=1 #for servers to reject private IPs as spoofs FAILSAFE=1
open '/etc/ipkungfu/services.conf' and add 'ACCEPT' to the services you want:
# The defaults. I set SSH, HTTP, and HTTPS services to 'ACCEPT' ftp-data:20:tcp ftp:21:tcp ssh:22:tcp:ACCEPT telnet:23:tcp smtp:25:tcp domain:53:tcp bootps:63:tcp http:80:tcp:ACCEPT pop3:110:tcp auth:113:tcp ntp:123:tcp imap:143:tcp https:443:tcp:ACCEPT imaps:993:tcp pop3s:995:tcp socks:1080:tcp # Custom Services # form: ServiceName:ServicePort:Protocol[:ACCEPT|DROP|REJECT|or any valid target)] splunk:8000:tcp:ACCEPTIt will be important to enable SSH if you are working on a remote machine. Otherwise your firewall will block you from creating new connections.
You can add custom IPTABLES rules to the '/etc/ipkungfu/custom.conf'. For example:
### Custom MAC address to be Accepted for full access to machine. $IPTABLES -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPTPlease note that MAC addresses are not a secure. They are trivially spoofed. This is used as an example.
Test Configuration
user@server# sudo ipkungfu --test
Should display something similar:
Checking integrity: .. PASSED Checking configuration... TTL support detected! MARK support detected! Clearing old chains and tables... Implementing custom rules... Handling Services On The Following Ports... ------------------------------- Port Protocol Name Target ------------------------------- 22 tcp ssh ACCEPT 80 tcp http ACCEPT 443 tcp https ACCEPT ------------------------------- Creating proc settings cache: OK Creating iptables rules cache: OKThis should display all the ports you want to keep open. Did you open SSH? :)
Enable On Reboot
Edit '/etc/default/ipkungfu':
IPKFSTART=1
Start the Service
user@server# sudo ipkungfu
Other Resources
- http://www.linuxkungfu.org/ -- Authors Site
- http://freshmeat.net/projects/ipkungfu/ -- Freshmeat Tracker
- https://help.ubuntu.com/community/firewall/ipkungfu -- Ubuntu Community Documentation
Reader Comments (2)
Does my mac adresse change if I upgrade my computer with some other hardware? For example change the graphic card?
You mac address is linked to your network card. Other devices will not change it. The mac address can be changed by software so it should not be used as your single source of security. :) Happy hacking!