Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » firewall » arno_s_firewall
Trace:
networking:firewall:arno_s_firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
networking:firewall:arno_s_firewall [2011/11/01 13:09]
127.0.0.1 external edit 		— (current)
Line 1: Line 1:
-====== Arno's Firewall ====== 
  
-http://rocky.eld.leidenuniv.nl/joomla/index.php?option=com_content&view=article&id=45&Itemid=63 
- 
-===== Install ===== 
- 
-Verify current network setup: 
- 
-<file> 
-ifconfig #show network interfaces 
-route -n #show routing 
-iptables -nL |grep ACCEPT #show 'allow' rules 
-iptables -t nat -n -L #show NAT rules 
-</file> 
- 
-Additional for CentOS minimal installations: 
- 
-<file> 
-yum install wget which bind-utils 
-</file> 
-Install: 
-<file> 
-wget http://rocky.eld.leidenuniv.nl/arno-iptables-firewall/arno-iptables-firewall_2.0.0c.tar.gz 
- 
-tar -xzvf arno-iptables-firewall<tab> 
-cd arno-iptables-firewall<tab> 
-./install.sh 
-</file> 
- 
-The install script calls the configure script at  the end: 
- 
-<file> 
-/root/arno-iptables-firewall_2.0.0b/configure.sh 
- 
-service arno-iptables-firewall start 
-</file> 
- 
-===== Configure ===== 
- 
-Startup verbosity: 
- 
-<file> 
-vim /etc/init.d/arno-iptables-firewall 
-</file> 
- 
-Firewall: 
- 
-<file> 
-vim /etc/arno-iptables-firewall/firewall.conf 
- 
-# open from anywhere 
-OPEN_TCP="2222" 
-# limited by source address 
-HOST_OPEN_TCP="209.193.64.254~80,443,10000:10010 109.169.59.200,209.104.9.39~389,636" 
- 
-service arno-iptables-firewall restart 
- 
-iptables -nL | grep ACCEPT 
-</file> 
- 
-===== Logging ===== 
- 
-Logging defaults to /var/log/messages.  Here we configure logging to a separate file /var/log/firewall.log. 
- 
-Edit /etc/arno-iptables-firewall/firewall.conf and change: 
- 
-<file> 
-FIREWALL_LOG="/var/log/firewall.log" 
-LOGLEVEL="debug" # if you want the highest level of logging 
- 
-cat << EOF >> /etc/logrotate.d/firewall 
-/var/log/firewall.log { 
-        rotate 4 
-        weekly 
-        compress 
-        notifempty 
-        create 0600 root root 
-        delaycompress 
-        create 
-} 
-EOF 
- 
-cat << EOF >> /etc/syslog.conf 
- 
-# Log all iptables messages to /var/log/firewall.log 
-kern.=debug                                             /var/log/firewall.log 
-EOF 
- 
-kill -HUP $(pidof syslogd) 
- 
-service arno-iptables-firewall check-conf 
-service arno-iptables-firewall restart 
-</file> 
- 
-===== Auto Startup ===== 
- 
-<file> 
-chkconfig arno-iptables-firewall on 
-chkconfig iptables off 
-chkconfig ip6tables off 
-</file> 
- 
-===== Port Check ===== 
- 
-<file> 
-iptables -nL | grep 2222 
-iptables -nL|grep ACCEPT 
-</file> 
- 
-===== Restart ===== 
- 
-<file> 
-service iptables stop 
-service ip6tables stop 
-service arno-iptables-firewall restart 
-</file> 
- 
-===== Adaptive Ban Plugin ===== 
- 
-If you have not restarted the firewall (and then upgraded, following the  
-prompt) via the web interface, please do... or "upgrade-arno-firewall upgrade"  
-from the CLI.  Of course, any changes to the plugins requires a restart of the  
-firewall to take effect. 
- 
-The new Adaptive Ban plugin uses the same technique as fail2ban (  
-http://www.fail2ban.org ). 
- 
-While this technique is proven, our implementation as a plugin to the Arno  
-Firewall is new, so users are encouraged to give it a try.  Please report any  
-problems... and successes :-) 
- 
-To show we eat our own cooking, below is my Adaptive Ban plugin setting on my  
-production boxes. 
- 
-Lonnie 
- 
-<file> 
---- snip --- 
- 
-# ------------------------------------------------------------------------------ 
-#            -= Arno's iptables firewall - Adaptive Ban plugin =- 
-# ------------------------------------------------------------------------------ 
- 
-# To actually enable this plugin make ENABLED=1: 
-# ------------------------------------------------------------------------------ 
-ENABLED=1 
- 
-# Log file where failed access attempts are derived 
-# ------------------------------------------------------------------------------ 
-ADAPTIVE_BAN_FILE="/var/log/messages" 
- 
-# The time in seconds between each iteration of analyzing the log file 
-# ------------------------------------------------------------------------------ 
-ADAPTIVE_BAN_TIME=90 
- 
-# The number of log failures to ban host 
-# ------------------------------------------------------------------------------ 
-ADAPTIVE_BAN_COUNT=6 
- 
-# A list of analysis types that are applied 
-# Choose from: sshd asterisk mini_httpd 
-# ------------------------------------------------------------------------------ 
-ADAPTIVE_BAN_TYPES="asterisk" 
- 
-# By default, inbound packets from banned IP addresses will be silently DROP'ed 
-# As an option, the packets can be REJECT'ed instead of being DROP'ed 
-# Define ADAPTIVE_BAN_REJECT=1 for an ICMP error message to be returned 
-# ------------------------------------------------------------------------------ 
-ADAPTIVE_BAN_REJECT=1 
- 
-# Bt default, INTERNAL (LAN) networks will be whitelisted against banning 
-# As an option, this automatic whitelisting can be disabled 
-# Define ADAPTIVE_BAN_WHITELIST_INTERNAL=0 to disable INTERNAL whitelisting 
-# ------------------------------------------------------------------------------ 
-ADAPTIVE_BAN_WHITELIST_INTERNAL=1 
- 
-# Whitelist Hosts 
-# A list of IP addresses whose traffic will never be banned 
-# ------------------------------------------------------------------------------ 
-ADAPTIVE_BAN_WHITELIST="" 
- 
---- snip --- 
-</file> 
networking/firewall/arno_s_firewall.1320174564.txt.gz · Last modified: 2012/01/11 15:55 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki