Feeds:
Posts
Comments

Archive for September 30th, 2007

Creating and installing firewall scripts

I assume that you’ve already familiar with runlevels process. If you still don’t know about runlevels, you can go my tutorial about ‘Runlevels in Ubuntu‘ first.

If you are ready then let’s start a practice with creating our iptables script.

 

There 4 steps for you to follow.

  • Create your executable-scripts

  • Put the scripts into /etc/init.d directory.

  • Set up links for your scripts in each rc?.d directories that point to /etc/init.d/your_scripts.

  • Reboot the system.

 

Step 1. Create directory for the script (optional) and create the script.

taufanlubis@zyrex:~$ sudo mkdir /opt/my_firewall

taufanlubis@zyrex:~$ cd /opt/my_firewall/

taufanlubis@zyrex:/opt/my_firewall$

I like to put my firewall scripts collection in one directory. So, next time you need it for your working requirements then it will be easier for you to find.

 

Let’s make the script. You can use any text editor you want.

taufanlubis@zyrex:/opt/my_firewall$ sudo gedit myfirewall_scripts

Put your script in ‘gedit’ words editor, don’t forget to put ‘#!/bin/bash’ on the top of the scripts.

For example, my script is:

 

#!/bin/bash

#Remove all previous chain rules

iptables -F

 

#Accept packet data (tcp) through ethernet card no.1

#via port 80 (http), port 443 (https), port 110(pop3), port 25(smtp)

iptables -A INPUT -p tcp -i eth0 –dport http -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport https -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport pop3 -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport smtp -j ACCEPT

 

#Drop all data that forwarded or output from your machine

#except the ports that we’ve set to be allowed.

iptables -A FORWARD -o eth0 -j DROP

iptables -A OUTPUT -o eth0 -j DROP

iptables -A INPUT -p tcp -i eth0 -j DROP

 

Then, save the file.

 

Check the content

taufanlubis@zyrex:/opt/my_firewall$ cat myfirewall_scripts

#!/bin/bash

#Remove all previous chain rules

iptables -F

 

#Accept packet data (tcp) through ethernet card no.1

#via port 80 (http), port 443 (https), port 110(pop3), port 25(smtp)

iptables -A INPUT -p tcp -i eth0 –dport http -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport https -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport pop3 -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport smtp -j ACCEPT

 

#Drop all data that forwarded or output from your machine

#except the ports that we’ve set to be allowed.

iptables -A FORWARD -o eth0 -j DROP

iptables -A OUTPUT -o eth0 -j DROP

iptables -A INPUT -p tcp -i eth0 -j DROP

taufanlubis@zyrex:/opt/my_firewall$

 

Check the security level access

taufanlubis@zyrex:/opt/my_firewall$ ls -l

total 4

-rw-r–r– 1 root root 582 2007-09-29 10:55 myfirewall_scripts

taufanlubis@zyrex:/opt/my_firewall$

 

Change the security level access

taufanlubis@zyrex:/opt/my_firewall$ sudo chmod uog+x myfirewall_scripts

taufanlubis@zyrex:/opt/my_firewall$ ls -l

total 4

-rwxr-xr-x 1 root root 582 2007-09-29 10:55 myfirewall_scripts

taufanlubis@zyrex:/opt/my_firewall$

 

Now, your script is ready to run.

 

Test the script

taufanlubis@zyrex:/opt/my_firewall$ sudo ./myfirewall_scripts

taufanlubis@zyrex:/opt/my_firewall$

 

taufanlubis@zyrex:/opt/my_firewall$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp — anywhere anywhere tcp dpt:www

ACCEPT tcp — anywhere anywhere tcp dpt:https

ACCEPT tcp — anywhere anywhere tcp dpt:pop3

ACCEPT tcp — anywhere anywhere tcp dpt:smtp

DROP tcp — anywhere anywhere

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

DROP 0 — anywhere anywhere

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

DROP 0 — anywhere anywhere

taufanlubis@zyrex:/opt/my_firewall$

 

Now, everything is running smoothly. You can put the script into the particular runlevels.

 

Step 2. Copy your script to /etc/init.d/ directory.

 

taufanlubis@zyrex:/opt/my_firewall$ sudo cp myfirewall_scripts /etc/init.d/

 

Check the availability

taufanlubis@zyrex:/etc/init.d$ ls myfirewall_scripts

myfirewall_scripts

 

Step 3. Setup Links

 

To setup links for your script in each rc?.d you don’t have to it manually one by one. You can use Ubuntu command update-rc.d.

 

Manual for update-rc.d in Ubuntu

update-rc.d updates the System V style init script links /etc/rcrun‐level.d/NNname whose target is the script /etc/init.d/name. These links are run by init when it changes runlevels; they are generally used to start and stop system services such as daemons. runlevel is one of the runlevels supported by init, namely, 0123456789S, and NN is the two-digit sequence number that determines where in the sequence init will run the scripts. the two-digit sequence number that determines where in the sequence

init will run the scripts.

EXAMPLES

Insert links using the defaults:

update-rc.d foobar defaults

Equivalent command using explicit argument sets:

update-rc.d foobar start 20 2 3 4 5 . stop 20 0 1 6 .

Insert links for a service that should be running during multi-user

mode, but that does not need to be explicitly stopped on shutdown:

update-rc.d foobar multiuser

Equivalent command using explicit argument sets:

update-rc.d foobar start 20 2 3 4 5 . stop 20 1 .

More typical command using explicit argument sets:

update-rc.d foobar start 30 2 3 4 5 . stop 70 0 1 6 .

Remove all links for a script (assuming foobar has been deleted

already):

update-rc.d foobar remove

Example of disabling a service:

update-rc.d -f foobar remove

update-rc.d foobar stop 20 2 3 4 5 .

Example of a command for installing a system initialization-and-shut‐

down script:

update-rc.d foobar start 45 S . start 31 0 6 .

Example of a command for disabling a system initialization-and-shutdown

script:

script:

update-rc.d -f foobar remove

update-rc.d foobar stop 45 S .

 

Setup links for myfirewall_scripts

taufanlubis@zyrex:~$ sudo update-rc.d myfirewall_scripts defaults

Adding system startup for /etc/init.d/myfirewall_scripts …

/etc/rc0.d/K20myfirewall_scripts -> ../init.d/myfirewall_scripts

/etc/rc1.d/K20myfirewall_scripts -> ../init.d/myfirewall_scripts

/etc/rc6.d/K20myfirewall_scripts -> ../init.d/myfirewall_scripts

/etc/rc2.d/S20myfirewall_scripts -> ../init.d/myfirewall_scripts

/etc/rc3.d/S20myfirewall_scripts -> ../init.d/myfirewall_scripts

/etc/rc4.d/S20myfirewall_scripts -> ../init.d/myfirewall_scripts

/etc/rc5.d/S20myfirewall_scripts -> ../init.d/myfirewall_scripts

taufanlubis@zyrex:~$

 

K20 in rc0.d, rc1.d and rc6.d = myfirewall_scripts will be executed when leaving runlevel N.

S20 in rc2.d, rc3.d, rc4.d and rc5.d = myfirewall_scripts will be executed when enter runlevel N.

 

Step 4. Reboot the system

 

Check the iptables status. If everything is running well then you will see your iptables chain rules.

taufanlubis@zyrex:~$ sudo iptables -L

Password:

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp — anywhere anywhere tcp dpt:www

ACCEPT tcp — anywhere anywhere tcp dpt:https

ACCEPT tcp — anywhere anywhere tcp dpt:pop3

ACCEPT tcp — anywhere anywhere tcp dpt:smtp

DROP tcp — anywhere anywhere

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

DROP 0 — anywhere anywhere

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

DROP 0 — anywhere anywhere

taufanlubis@zyrex:~$

 

 

Removing a service

taufanlubis@zyrex:~$ sudo update-rc.d myfirewall_scripts remove

update-rc.d: /etc/init.d/myfirewall_scripts exists during rc.d purge (use -f to force)

taufanlubis@zyrex:~$

 

If the script has already run you have to use ‘-f (force)’ to remove the script.

 

taufanlubis@zyrex:~$ sudo update-rc.d -f myfirewall_scripts remove

Removing any system startup links for /etc/init.d/myfirewall_scripts …

/etc/rc0.d/K20myfirewall_scripts

/etc/rc1.d/K20myfirewall_scripts

/etc/rc2.d/S20myfirewall_scripts

/etc/rc3.d/S20myfirewall_scripts

/etc/rc4.d/S20myfirewall_scripts

/etc/rc5.d/S20myfirewall_scripts

/etc/rc6.d/K20myfirewall_scripts

taufanlubis@zyrex:~$

 

Is my myfirewall_scripts also removed?

No, your myfirewall_scripts is still in /etc/init.d/ directory.

update-rc.d only remove the links in each rc?.d directory.

 

You can check it.

taufanlubis@zyrex:~$ ls /etc/init.d/myfirewall_scripts

/etc/init.d/myfirewall_scripts

taufanlubis@zyrex:~$

 

Note:

One might, for example, cause the script myfirewall_scripts to execute at boot-up.

 

Happy trying……..

 

Read Full Post »

Runlevels in Ubuntu

If you have a script and you it run automatically during loading process then you have to know to runlevels process in Ubuntu. At first time you learn about runlevels, you may find yourself in a bit hard time to figure out how it work. There are so many articles explain about runlevels in the internet. I’ll try to explain the runlevels process in a easy way.

Hopefully, the way I describe the process will be clear enough for you to get a picture about runlevels.

Introduction

Runlevel is a mode of operation or level of run in a computer that uses Unix/Linux System V-style.

There 7 runlevels in Ubuntu, start from 0 to 6.

 

The following table summarizes it:

  • runlevel 0 = System Halt

  • runlevel 1 = Single User

  • runlevel 2 = Multi-user with GUI

  • runlevel 3 = Multi-user with GUI

  • runlevel 4 = Multi-user with GUI

  • runlevel 5 = runlevel 3 + X windows system

  • runlevel 6 = Reboot

 

Runlevel 1 is a single user mode. In this level, there are no daemons (services) are started. You can do rescue or trouble-shooting in this mode. Runlevel 0 for shutdown and runlevel 6 for reboot. The rest are used for running the system.

 

Like other Linux systems, run levels are defined by files in the file system.

All run level files are found in the /etc directory.

 

/etc/rc0.d/ runlevel 0

/etc/rc1.d/ runlevel 1

/etc/rc2.d/ runlevel 2

/etc/rc3.d/ runlevel 3

/etc/rc4.d/ runlevel 4

/etc/rc5.d/ runlevel 5

/etc/rc6.d/ runlevel 6

 

The contents of each directory determines what happens at that run level.

 

Check your current runlevel

taufanlubis@zyrex:~$ runlevel

N 2

taufanlubis@zyrex:~$

Ubuntu system come with id=2, which indicates that the default runlevel will be ’2′ when the multi-user state is entered, and the scripts in /etc/rc2.d/ will be run.

 

taufanlubis@zyrex:~$ who -r

run-level 2 2007-09-25 03:53 last=

taufanlubis@zyrex:~$

 

Note, taken from update-rc.d manual:

/etc/init.d/

The directory containing the actual init scripts.

 

/etc/rc?.d/

The directories containing the links used by init and managed by update-rc.d.

 

 

There is also another runlevel named runlevel ‘S’.

For more details, you can read the manual.

taufanlubis@zyrex:~$ man rcS

……..

……..

 

 

The configuration of rcS are placed in /etc/default/rcS or /usr/share/initscripts/default.rcS

 

To see the content just type:

taufanlubis@zyrex:/etc/init.d$ cat /usr/share/initscripts/default.rcS

#

# /etc/default/rcS

#

# Default settings for the scripts in /etc/rcS.d/

#

# For information about these variables see the rcS(5) manual page.

#

# This file belongs to the “initscripts” package.

 

TMPTIME=0

SULOGIN=no

DELAYLOGIN=no

UTC=yes

VERBOSE=no

FSCKFIX=no

 

 

Booting Process

 

Ubuntu boots up by executing the program init. The step of scripts to be executed are

  • /etc/init.d/rcS

  • /etc/rc.boot

  • all scripts in a directory specified by the default runlevel

  • /etc/rc0.d

  • /etc/rc1.d

  • /etc/rc2.d

  • /etc/rc3.d

  • /etc/rc4.d

  • /etc/rc5.d

  • /etc/rc6.d

 

Let’s check the content of /etc/init.d/rcS.

taufanlubis@zyrex:~$ cat /etc/init.d/rcS

#! /bin/sh

#

# rcS

#

# Call all S??* scripts in /etc/rcS.d/ in numerical/alphabetical order

#

exec /etc/init.d/rc S

 

taufanlubis@zyrex:/etc/init.d$

Mean that this script will run all of the scripts in /etc/rcS.d/.

 

Let’s check the content.

taufanlubis@zyrex:~$ ls -l /etc/rcS.d

total 4

-rw-r–r– 1 root root 785 2007-04-11 04:45 README

lrwxrwxrwx 1 root root 24 2007-07-31 11:15 S01mountkernfs.sh -> ../init.d/mountkernfs.sh

lrwxrwxrwx 1 root root 19 2007-07-31 11:15 S01readahead -> ../init.d/readahead

lrwxrwxrwx 1 root root 21 2007-07-31 11:15 S02hostname.sh -> ../init.d/hostname.sh

…..

…..

lrwxrwxrwx 1 root root 27 2007-07-31 11:15 S90console-screen.sh -> ../init.d/console-screen.sh

taufanlubis@zyrex:/etc/rcS.d$

How about rc1.d, rc2.d, rc3.d, rc4.d, rc5.d ando rc6.d?

 

taufanlubis@zyrex:~$ ls -l /etc/rc1.d

total 4

lrwxrwxrwx 1 root root 13 2007-07-31 11:15 K01gdm -> ../init.d/gdm

……

……

lrwxrwxrwx 1 root root 16 2007-07-31 11:15 S90single -> ../init.d/single

 

taufanlubis@zyrex:~$ ls -l /etc/rc2.d

total 4

-rw-r–r– 1 root root 556 2007-04-11 04:46 README

lrwxrwxrwx 1 root root 16 2007-08-07 12:29 S01lokkit -> ../init.d/lokkit

….

….

lrwxrwxrwx 1 root root 24 2007-07-31 11:15 S99stop-readahead -> ../init.d/stop-readahead

 

taufanlubis@zyrex:~$ ls -l /etc/rc3.d

total 4

-rw-r–r– 1 root root 556 2007-04-11 04:46 README

lrwxrwxrwx 1 root root 16 2007-08-07 12:29 S01lokkit -> ../init.d/lokkit

…..

…..

lrwxrwxrwx 1 root root 19 2007-07-31 11:15 S99rmnologin -> ../init.d/rmnologin

 

taufanlubis@zyrex:~$ ls -l /etc/rc4.d

total 4

-rw-r–r– 1 root root 556 2007-04-11 04:46 README

lrwxrwxrwx 1 root root 16 2007-08-07 12:29 S01lokkit -> ../init.d/lokkit

……

……

lrwxrwxrwx 1 root root 19 2007-07-31 11:15 S99rmnologin -> ../init.d/rmnologin

taufanlubis@zyrex:~$

 

taufanlubis@zyrex:~$ ls -l /etc/rc5.d

total 4

-rw-r–r– 1 root root 556 2007-04-11 04:46 README

lrwxrwxrwx 1 root root 16 2007-08-07 12:29 S01lokkit -> ../init.d/lokkit

…..

…..

lrwxrwxrwx 1 root root 19 2007-07-31 11:15 S99rmnologin -> ../init.d/rmnologin

 

taufanlubis@zyrex:~$ ls -l /etc/rc6.d

total 4

lrwxrwxrwx 1 root root 13 2007-07-31 11:15 K01gdm -> ../init.d/gdm

……

……

lrwxrwxrwx 1 root root 18 2007-07-31 11:15 S40umountfs -> ../init.d/umountfs

lrwxrwxrwx 1 root root 20 2007-07-31 11:15 S60umountroot -> ../init.d/umountroot

lrwxrwxrwx 1 root root 16 2007-07-31 11:15 S90reboot -> ../init.d/reboot

 

taufanlubis@zyrex:~$ ls -l /etc/init.d/

total 460

….

….

-rwxr-xr-x 1 root root 864 2007-04-14 02:51 stop-readahead

….

….

-rwxr-xr-x 1 root root 3477 2007-04-11 04:45 umountfs

-rwxr-xr-x 1 root root 1833 2007-04-11 04:45 umountnfs.sh

-rwxr-xr-x 1 root root 1105 2007-04-11 04:45 umountroot

….

….

Now you see that, actually, all the scripts above are just symbolic links back to to scripts in /etc/init.d/.

 

These scripts are used to perform initialization such as to check and to mount file systems, to load modules, to start network services, to set the clock and to perform other initialization.

 

Specifically, before entering any runlevel, all the scripts beginning with ‘K’ are run; these scripts kill services. Then all the scripts beginning with ‘S’ are run; these scripts start services.

The two-digit number following the ‘K’ or ‘S’ indicates the order in which the script is run. Lower numbered scripts are executed first.

 

The scripts in /etc/init.d/ can be either:

  • start

  • stop

  • reload

  • restart

  • force-reload

These scripts can be used even after a system has been booted, to control various processes.

 

Now, let’s try with restart with the networking.

taufanlubis@zyrex:~$ sudo /etc/init.d/networking restart

Password:

* Reconfiguring network interfaces… RTNETLINK answers: No such process

There is already a pid file /var/run/dhclient.eth0.pid with pid 5659

killed old client process, removed PID file

Internet Systems Consortium DHCP Client V3.0.4

Copyright 2004-2006 Internet Systems Consortium.

All rights reserved.

For info, please visit http://www.isc.org/sw/dhcp/

 

Listening on LPF/eth0/00:90:f5:36:9a:eb

Sending on LPF/eth0/00:90:f5:36:9a:eb

……

……

 

Argument ‘restart‘ at “taufanlubis@zyrex:~$ sudo /etc/init.d/networking restart” will send networking daemon a signal to reread its configuration file.

Read Full Post »

Masquerading (Many to One NAT)
NAT = Network Address Translation

Mean that all traffics from your networks behind the firewall will be appear on the internet as if as it is only originated form a single ip address.

The masquerade IP address always defaults to the IP address of the firewall’s main interface. It will be easier for you to configure iptables NAT with DHCP because you don’t have to specify the NAT IP address.

 

Masquerade needs iptables_nat module and IP forwarding = enabled to run.

 

 

Step 1. Load the iptables_nat module

taufanlubis@zyrex:~$ sudo modprobe -a iptable_nat

or

put at /etc/rc.local

modprobe -a iptable_nat

 

Check if it’s already uploaded.

root@zyrex:/home/taufanlubis# sudo modprobe -l | grep iptable_nat

/lib/modules/2.6.20-16-generic/kernel/net/ipv4/netfilter/iptable_nat.ko

root@zyrex:/home/taufanlubis#

 

 

Step 2. Enable routing by modifying the ip_forward at /proc/sys/net/ipv4 from value ’0′ to ’1′.

0 = disable/ 1=enable

taufanlubis@zyrex:~$ su root

Password:

root@zyrex:/home/taufanlubis# echo 1 > /proc/sys/net/ipv4/ip_forward

Check the value.

root@zyrex:/home/taufanlubis# cat /proc/sys/net/ipv4/ip_forward

1

root@zyrex:/home/taufanlubis#

 

 

Step 3. Allow masquerading

Let’s try a case.

You have 2 interface in your router.

eth0 is the internet interface

eth1 is the private network interface

If you configure your firewall to do masquerading, you should use the ip address from eth1 as a default gateway for all your severs on the network.

 

taufanlubis@zyrex:~$ sudo iptables -A POSTROUTING -t nat -s 192.168.0.1/24 -o et

h0 -d 0/0 -j MASQUERADE

 

taufanlubis@zyrex:~$ sudo iptables -A FORWARD -o eth0 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

taufanlubis@zyrex:~$ sudo iptables -A FORWARD -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

After ‘network address translation table‘ from ‘ip 192.168.0.1-192.168.0.254 destined to any ip address‘ are masqueraded, the packets then are routed via the filter table’s FORWARD chain.

Allowed outbound: New, established and related connections

Allowed inbound: Established and related connections

 

Check the iptables’ rules again.

taufanlubis@zyrex:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

ACCEPT 0 — anywhere anywhere state NEW,RELATED,ESTABLISHED

ACCEPT 0 — anywhere anywhere state RELATED,ESTABLISHED

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

taufanlubis@zyrex:~$

You will not see the POSTROUTING chain rule because the ‘iptables rules‘ displays INPUT, FORWARD and OUTPUT information only.

 

 

 

Read Full Post »

Follow

Get every new post delivered to your Inbox.

Join 75 other followers