IPKungFu Firewall and Basic Server setup
IPKungFu is an iptables-based Linux firewall. It aims to simplify the configuration of Internet connection sharing, port forwarding, and packet filtering. -- http://freshmeat.net/projects/ipkungfu/
IPKungFu better described as being a smart script that eases creation complex firewall rules. Creating a gateway firewall, internet sharing, or simply setting up a basic firewall are all simple tasks. By default it includes advanced logging, syn-flood protection, and port scanning protection.
I am going to describe how to setup a basic server firewall with this base system as the example:
- Ubuntu Server 8.04 LTS (hardy)
- basic apt sources. (hardy main, hardy-updates main, hardy-security main)
user@server# sudo apt-get install ipkungfu
open '/etc/ipkungfu/ipkungfu.conf' and change these settings:
GATEWAY=0 BLOCK_PINGS=1 #keep the ICMP port open for Nagios!! SUSPECT="DROP" #'DROP' is the same as Stealth on consumer routers KNOWN_BAD="DROP" PORT_SCAN="DROP" GET_IP="AUTO" DISALLOW_PRIVATE=1 #for servers to reject private IPs as spoofs FAILSAFE=1
open '/etc/ipkungfu/services.conf' and add 'ACCEPT' to the services you want:
# The defaults. I set SSH, HTTP, and HTTPS services to 'ACCEPT' ftp-data:20:tcp ftp:21:tcp ssh:22:tcp:ACCEPT telnet:23:tcp smtp:25:tcp domain:53:tcp bootps:63:tcp http:80:tcp:ACCEPT pop3:110:tcp auth:113:tcp ntp:123:tcp imap:143:tcp https:443:tcp:ACCEPT imaps:993:tcp pop3s:995:tcp socks:1080:tcp # Custom Services # form: ServiceName:ServicePort:Protocol[:ACCEPT|DROP|REJECT|or any valid target)] splunk:8000:tcp:ACCEPTIt will be important to enable SSH if you are working on a remote machine. Otherwise your firewall will block you from creating new connections.
You can add custom IPTABLES rules to the '/etc/ipkungfu/custom.conf'. For example:
### Custom MAC address to be Accepted for full access to machine. $IPTABLES -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPTPlease note that MAC addresses are not a secure. They are trivially spoofed. This is used as an example.
user@server# sudo ipkungfu --test
Should display something similar:
Checking integrity: .. PASSED Checking configuration... TTL support detected! MARK support detected! Clearing old chains and tables... Implementing custom rules... Handling Services On The Following Ports... ------------------------------- Port Protocol Name Target ------------------------------- 22 tcp ssh ACCEPT 80 tcp http ACCEPT 443 tcp https ACCEPT ------------------------------- Creating proc settings cache: OK Creating iptables rules cache: OKThis should display all the ports you want to keep open. Did you open SSH? :)
Enable On Reboot
Start the Service
user@server# sudo ipkungfu
- http://www.linuxkungfu.org/ -- Authors Site
- http://freshmeat.net/projects/ipkungfu/ -- Freshmeat Tracker
- https://help.ubuntu.com/community/firewall/ipkungfu -- Ubuntu Community Documentation