IPKungFu easy iptables based server firewall
by Mark on Mar.04, 2009, under sysadmin
IPKungFu Firewall and Basic Server setup
IPKungFu is an iptables-based Linux firewall. It aims to simplify the configuration of Internet connection sharing, port forwarding, and packet filtering. — http://freshmeat.net/projects/ipkungfu/
IPKungFu better described as being a smart script that eases creation complex firewall rules. Creating a gateway firewall, internet sharing, or simply setting up a basic firewall are all simple tasks. By default it includes advanced logging, syn-flood protection, and port scanning protection.
photo credit: masochismtango
Continue for the complete guide…
I am going to describe how to setup a basic server firewall with this base system as the example:
- Ubuntu Server 8.04 LTS (hardy)
- basic apt sources. (hardy main, hardy-updates main, hardy-security main)
Install
user@server# sudo apt-get install ipkungfu
Configure
open ‘/etc/ipkungfu/ipkungfu.conf’ and change these settings:
GATEWAY=0 BLOCK_PINGS=1 #keep the ICMP port open for Nagios!! SUSPECT="DROP" #'DROP' is the same as Stealth on consumer routers KNOWN_BAD="DROP" PORT_SCAN="DROP" GET_IP="AUTO" DISALLOW_PRIVATE=1 #for servers to reject private IPs as spoofs FAILSAFE=1
open ‘/etc/ipkungfu/services.conf’ and add ‘ACCEPT’ to the services you want:
# The defaults. I set SSH, HTTP, and HTTPS services to 'ACCEPT' ftp-data:20:tcp ftp:21:tcp ssh:22:tcp:ACCEPT telnet:23:tcp smtp:25:tcp domain:53:tcp bootps:63:tcp http:80:tcp:ACCEPT pop3:110:tcp auth:113:tcp ntp:123:tcp imap:143:tcp https:443:tcp:ACCEPT imaps:993:tcp pop3s:995:tcp socks:1080:tcp # Custom Services # form: ServiceName:ServicePort:Protocol[:ACCEPT|DROP|REJECT|or any valid target)] splunk:8000:tcp:ACCEPT
It will be important to enable SSH if you are working on a remote machine. Otherwise your firewall will block you from creating new connections.
You can add custom IPTABLES rules to the ‘/etc/ipkungfu/custom.conf’. For example:
### Custom MAC address to be Accepted for full access to machine. $IPTABLES -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT
Please note that MAC addresses are not a secure. They are trivially spoofed. This is used as an example.
Test Configuration
user@server# sudo ipkungfu --test
Should display something similar:
Checking integrity: .. PASSED Checking configuration... TTL support detected! MARK support detected! Clearing old chains and tables... Implementing custom rules... Handling Services On The Following Ports... ------------------------------- Port Protocol Name Target ------------------------------- 22 tcp ssh ACCEPT 80 tcp http ACCEPT 443 tcp https ACCEPT ------------------------------- Creating proc settings cache: OK Creating iptables rules cache: OK
This should display all the ports you want to keep open. Did you open SSH? 
Enable On Reboot
Edit ‘/etc/default/ipkungfu’:
IPKFSTART=1
Start the Service
user@server# sudo ipkungfu
Other Resources
- http://www.linuxkungfu.org/ — Authors Site
- http://freshmeat.net/projects/ipkungfu/ — Freshmeat Tracker
- https://help.ubuntu.com/community/firewall/ipkungfu — Ubuntu Community Documentation
2 Comments for this entry
Leave a Reply
-
Howdy. Welcome to zarzax the blog!
Thanks for dropping by! Feel free to join the discussion by leaving comments, and stay updated by subscribing to the RSS feed. See ya around!
Follow me!
March 6th, 2010 on 6:54 am
Does my mac adresse change if I upgrade my computer with some other hardware? For example change the graphic card?
March 8th, 2010 on 5:30 pm
You mac address is linked to your network card. Other devices will not change it. The mac address can be changed by software so it should not be used as your single source of security.
Happy hacking!