Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » firewall » arno_s_firewall
Trace: freepbx_upgrade rds_tweaks onedrive_business virtualmin_migrate network_profiles avg_remote_admin linux_disk_quotas zfs_replace_drive
networking:firewall:arno_s_firewall

This is an old revision of the document!

Table of Contents

Arno's Firewall

http://rocky.eld.leidenuniv.nl/joomla/index.php?option=com_content&view=article&id=45&Itemid=63

Install

Verify current network setup: 

ifconfig						#show network interfaces
route -n						#show routing
iptables -nL |grep ACCEPT				#show 'allow' rules
iptables -t nat -n -L					#show NAT rules

Additional for CentOS minimal installations: 

yum install wget which bind-utils

Install: 

wget http://rocky.eld.leidenuniv.nl/arno-iptables-firewall/arno-iptables-firewall_2.0.0c.tar.gz

tar -xzvf arno-iptables-firewall<tab>
cd arno-iptables-firewall<tab>
./install.sh

The install script calls the configure script at the end: 

/root/arno-iptables-firewall_2.0.0b/configure.sh

service arno-iptables-firewall start

Configure

Startup verbosity: 

vim /etc/init.d/arno-iptables-firewall

Firewall: 

vim /etc/arno-iptables-firewall/firewall.conf

# open from anywhere
OPEN_TCP="2222"
# limited by source address
HOST_OPEN_TCP="209.193.64.254~80,443,10000:10010 109.169.59.200,209.104.9.39~389,636"

service arno-iptables-firewall restart

iptables -nL | grep ACCEPT

Logging

Logging defaults to /var/log/messages. Here we configure logging to a separate file /var/log/firewall.log.

Edit /etc/arno-iptables-firewall/firewall.conf and change: 

FIREWALL_LOG="/var/log/firewall.log"
LOGLEVEL="debug"	# if you want the highest level of logging

cat << EOF >> /etc/logrotate.d/firewall
/var/log/firewall.log {
        rotate 4
        weekly
        compress
        notifempty
        create 0600 root root
        delaycompress
        create
}
EOF

cat << EOF >> /etc/syslog.conf

# Log all iptables messages to /var/log/firewall.log
kern.=debug                                             /var/log/firewall.log
EOF

kill -HUP $(pidof syslogd)

service arno-iptables-firewall check-conf
service arno-iptables-firewall restart

Auto Startup

chkconfig arno-iptables-firewall on
chkconfig iptables off
chkconfig ip6tables off

Port Check

iptables -nL | grep 2222
iptables -nL|grep ACCEPT

Restart

service iptables stop
service ip6tables stop
service arno-iptables-firewall restart

Adaptive Ban Plugin

If you have not restarted the firewall (and then upgraded, following the prompt) via the web interface, please do… or “upgrade-arno-firewall upgrade” from the CLI. Of course, any changes to the plugins requires a restart of the firewall to take effect.

The new Adaptive Ban plugin uses the same technique as fail2ban ( http://www.fail2ban.org ).

While this technique is proven, our implementation as a plugin to the Arno Firewall is new, so users are encouraged to give it a try. Please report any problems… and successes :-)

To show we eat our own cooking, below is my Adaptive Ban plugin setting on my production boxes.

Lonnie 

--- snip ---

# ------------------------------------------------------------------------------
#            -= Arno's iptables firewall - Adaptive Ban plugin =-
# ------------------------------------------------------------------------------

# To actually enable this plugin make ENABLED=1:
# ------------------------------------------------------------------------------
ENABLED=1

# Log file where failed access attempts are derived
# ------------------------------------------------------------------------------
ADAPTIVE_BAN_FILE="/var/log/messages"

# The time in seconds between each iteration of analyzing the log file
# ------------------------------------------------------------------------------
ADAPTIVE_BAN_TIME=90

# The number of log failures to ban host
# ------------------------------------------------------------------------------
ADAPTIVE_BAN_COUNT=6

# A list of analysis types that are applied
# Choose from: sshd asterisk mini_httpd
# ------------------------------------------------------------------------------
ADAPTIVE_BAN_TYPES="asterisk"

# By default, inbound packets from banned IP addresses will be silently DROP'ed
# As an option, the packets can be REJECT'ed instead of being DROP'ed
# Define ADAPTIVE_BAN_REJECT=1 for an ICMP error message to be returned
# ------------------------------------------------------------------------------
ADAPTIVE_BAN_REJECT=1

# Bt default, INTERNAL (LAN) networks will be whitelisted against banning
# As an option, this automatic whitelisting can be disabled
# Define ADAPTIVE_BAN_WHITELIST_INTERNAL=0 to disable INTERNAL whitelisting
# ------------------------------------------------------------------------------
ADAPTIVE_BAN_WHITELIST_INTERNAL=1

# Whitelist Hosts
# A list of IP addresses whose traffic will never be banned
# ------------------------------------------------------------------------------
ADAPTIVE_BAN_WHITELIST=""

--- snip ---
networking/firewall/arno_s_firewall.1320174564.txt.gz · Last modified: 2012/01/11 15:55 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki