Introduction

What is ipkungfu?

Ipkungfu is an iptables-based Linux firewall. The primary design goals are security, ease of use, and performance, in that order. It takes advantage of advanced features of iptables and the Linux kernel. Ipkungfu can handle a wide array of configurations, and supports Internet connection sharing, multiple virtual hosts, IP forwarding, IP masquerading, configurable logging, string matching and much more. It is designed with both the novice and the expert in mind with its simple configuration interface.

who should use ipkungfu?

Anyone who wishes to simplify the creation of an iptables-based firewall. Additionally, anyone who would like a simple method of configuring a Linux machine to share its Internet connection.

How does it work?

It takes configuration directives from the files in /etc/ipkungfu and uses them, along with some information gathered from your system, to build a firewall using iptables and sysctl. It is primarily an interface to iptables. which in turn is an interface to the Linux kernel's netfilter code.

Firewall Setup

Install

Install IpKungfu (make sure you have the universe repositories enabled) 

sudo apt-get install ipkungfu

Configuration File

Edit /etc/ipkungfu/ipkungfu.conf according to your needs. 

sudo nano -w /etc/ipkungfu/ipkungfu.conf

I edited the contents to look like this... 

# Please read the README and FAQ for more information

# Some distros (most notably Redhat) don't have
# everything we need in $PATH so we specify it here.
# Make sure modprobe, iptables, and route are here,
# as well as ordinary items such as echo and grep.
# Default is as shown in the example below.
#PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin

# Your external interface
# This is the one that connects to the internet.
# Ipkungfu will detect this if you don't specify.
#EXT_NET="eth0"
#EXT_NET="eth1"
#EXT_NET="ppp0"

# Your internal interfaces, if any. If you have more
# than 1 internal interface, separate them with
# spaces. If you only have one interface, put "lo"
# here. Default is auto-detected.
#INT_NET="eth0"
#INT_NET="eth1"
#INT_NET="lo"

# IP Range of your internal network. Use "127.0.0.1"
# for a standalone machine. Default is a reasonable
# guess.
LOCAL_NET="192.168.1.0/255.255.255.0"

# Set this to 0 for a standalone machine, or 1 for
# a gateway device to share an Internet connection.
# Default is 1.
GATEWAY=1

# TCP ports you want to allow for incoming traffic
# Don't add ports here that you intend to forward.
# This should be a list of tcp ports that have
# servers listening on them on THIS machine,
# separated by spaces. Default is none.
# ALLOWED_TCP_IN="21 22"

# UDP ports to allow for incoming traffic
# See the comments above for ALLOWED_TCP_IN
#ALLOWED_UDP_IN=""

# Temporarily block future connection attempts from an
# IP that hits these ports (If module is present)
FORBIDDEN_PORTS="135 137 139"

# Drop all ping packets?
# Set to 1 for yes, 0 for no. Default is no.
BLOCK_PINGS=1

# Possible values here are "DROP", "REJECT", or "MIRROR"
#
# "DROP" means your computer will not respond at all. "Stealth mode"
#
# "REJECT" means your computer will respond with a
# message that the packet was rejected.
#
# "MIRROR", if your kernel supports it, will swap the source and
# destination IP addresses, and send the offending packet back
# where it came from. USE WITH EXTREME CAUTION! Only use this if you fully
# understand the consequences.
#
# The safest option, and the default in each case,, is "DROP". Don't change
# unless you fully understand this.

# What to do with 'probably malicious' packets
#SUSPECT="REJECT"
SUSPECT="DROP"

# What to do with obviously invalid traffic
# This is also the action for FORBIDDEN_PORTS
#KNOWN_BAD="REJECT"
KNOWN_BAD="DROP"

# What to do with port scans
#PORT_SCAN="REJECT"
PORT_SCAN="DROP"

# How should ipkungfu determine your IP address? The default
# answer, "NONE", will cause ipkungfu to not use the few
# features that require it to know your external IP address.
# This option is good for dialup users who run ipkungfu on
# bootup, since dialup users rarely use the features that
# require this, and the IP address for a dialup connection
# generally isn't known at bootup. "AUTO" will cause
# ipkungfu to automatically determine the IP address of
# $EXT_NET when it is started. If you have a static IP
# address you can simply enter your IP address here.
# If you do port forwarding and your ISP changes your IP
# address, choose NONE here, or your port forwarding
# will break when your IP address changes. Default is
# "NONE".
#GET_IP="NONE"
#GET_IP="AUTO"
#GET_IP="128.238.244.16"

# If the target for identd (113/tcp) is DROP, it can take
# a long time to connect to some IRC servers. Set this to
# 1 to speed up these connections with a negligible cost
# to security. Identd probes will be rejected with the
# 'reject-with-tcp-reset' option to close the connection
# gracefully. If you want to actually allow ident probes,
# and you're running an identd, and you've allowed port
# 113 in ALLOWED_TCP_IN, set this to 0. Default is 0.
#DONT_DROP_IDENTD=0

# Set this to 0 if you're running ipkungfu on a machine
# inside your LAN. This will cause private IP addresses
# coming in on $EXT_NET to be identified as a spoof,
# which would be inaccurate on intra-LAN traffic
# This will cause private IP addresses coming in on
# $EXT_NET to be identified as a spoof. Default is 1.
#DISALLOW_PRIVATE=1

# For reasons unknown to me, ipkungfu sometimes causes
# kernel panics when run at init time. This is my
# attempt to work around that. Ipkungfu will wait
# the specified number of seconds before starting, to
# let userspace/kernel traffic catch up before executing.
# Default is 0.
#WAIT_SECONDS=5

# This option, if enabled, will cause ipkungfu to set
# the default policy on all builtin chains in the filter
# table to ACCEPT in the event of a failure. This is
# intended for remote administrators who may be locked
# out of the firewall if ipkungfu fails. A warning to
# this effect will be echoed so that the situation can be
# rectified quickly. This is the same as running
# ipkungfu with --failsafe. Default is 0.
#FAILSAFE=0

This conf file could be left in the default state e.g. zero configuration "out of the box" setup and ipkungfu will try and guess the correct firewall setup. Chances are that you will need to manually configure this file.

In this example the file has been manually configured: 

Gateway 
Local_Net 
Block_Pings

and uncommented 

Suspect
Known_Bad 
Port Scan

settings to DROP.

Port Forward

Redirect ports on the Host machine. Format is: 

protocol:originalport:newport[:direction]

where direction is internal or external and is optional. Should traffic coming from the internal network be affected (internal) or traffic from the internet (external)? Leave empty to apply to all traffic.

To forward port 80 requests to the squid proxy server port, I opened /etc/ipkungfu/redirect.conf: 

sudo nano -w /etc/ipkungfu/redirect.conf

...and changed the line 

#tcp:80:3128:internal # transparent squid proxy

to 

tcp:80:3128:internal # transparent squid proxy

Enable on Reboot

To start ipkungfu everytime the computer boots up, I opened /etc/default/ipkungfu: 

sudo nano -w /etc/default/ipkungfu

... and change the line "IPKFSTART = 0" to "IPKFSTART=1".

Enable Configuration

sudo ipkungfu

Testing Firewall

I tested the firewall with the ShieldsUp test at grc.com and it passed with flying colors. 

https://www.grc.com

I also tested transparent squid proxy by taking a peek at /var/log/squid/access.log... 

sudo tail -f /var/log/squid/access.log

...and there I saw all PCs in our LAN browsing the net, without them knowing that they were actually proxied.

That's it! I have a firewall and router, I was able to forward port 80 requests to the squid proxy server, and I was able to make ipkungfu ran on bootups!

Documenation

The ReadMe and FAQ can be found at 

/usr/share/doc/ipkungfu

Manual

IPKungFu man page available after installation 

man ipkungfu

Command line options

        -t or --test
                Test the configuration, listing some of the optional kernel
                support installed, the interfaces in use, IP addresses,
                whether or not you have chosen IP forwarding, IP masquerading,
                subnet and ports you have chosen to allow.

        -d or --disable
                Disables the firewall and sets the default policies back to
                ACCEPT. Internet connection sharing is not disabled.

        -h or --help
                Displays all options available to ipkungfu.

        -v or --version
                Displays the version number of ipkungfu and exits.

        -l or --list
                Displays the iptables rule sets and exits.

        -c or --check
                Check to see if ipkungfu is loaded and display if it is in
                disable mode or panic mode if either.

        -f or --flush
                Flush all iptables rules and delete custom chains.  This
                completely takes down the firewall, and will also disable
                Internet connection sharing.

        --panic
                Panic mode. All internal and external access is denied. Nothing
                is allowed, in or out.

        --quiet
                Runs ipkungfu with no standard output.

        --show-vars
                Shows main configuration options (whether specified or
                auto detected) and exits.

        --failsafe
                If ipkungfu fails, default policy for all builtin chains will
                revert to ACCEPT.  This essentially means the firewall will be
                disabled if it fails.  This is useful for working with ipkungfu
                remotely, to prevent loss of access to the machine.

        --no-caching
                As of version 0.6.0, ipkungfu now supports rules caching support
                which in case rules haven't changed, will make ipkungfu load way
                faster. Passing this argument disables this feature.

Configuration files

 There are several configuration files, each one corresponding to a specific
 function or set of functions.
 Advanced users or those with more complex networks will want to edit most or
 all of these files. They are located in /etc/ipkungfu/ and are:

   accept_hosts.conf : IP addresses of hosts or nets to always ACCEPT and
   optionally the ports they are allowed to access

   advanced.conf : Configuration settings for advanced users.

   custom.conf : Here you will find sample rules several sample rules already
   predefined.  This is where you would add any custom rules you want applied
   to your firewall.  This file is parsed first, before any other rules are
   added by ipkungfu, to ensure that none of ipkungfu's rules override the
   rules in this file.

   deny_hosts.conf : You can list IP addresses/subnets:ports:protocols you wish
   to block completely.  This file is parsed before accept_hosts.conf and takes
   precedence over it.

   ipkungfu.conf : This is the main configuration file.  Edit this file, if
   nothing else.  For most people, this is the only file that needs to be
   edited to set up a decent firewall, with or without Internet connection
   sharing.
   WARNING: ALLOW_TCP_IN and ALLOW_UDP_IN are now deprecated and mantained only
   for backward compatability. Now use services.conf.

   log.conf : This file specifies what the firewall will log and the rate at
   which it is logged. By default, nearly all dropped packets are logged.
   To turn logging off on a particular item, change the 1 (log) to a
   0 (don't log). The default location of the log on most systems is
   /var/log/syslog.  Consult your syslogd configuration to find out where
   kernel logs are stored.

   redirect.conf : Use this file to specify where certain traffic should be
   routed on the SAME machine. If you want to redirect ports that come in on
   one port, and should go to another, set them up here. There is a single
   entry here that is commented out by default- tcp:443:10000 which
   redirects incoming https traffic on port 443 to webmin on port 10000.
   Please see the file for more information.

   vhosts.conf : If you have virtual hosts, (servers on machines behind your
   gateway), define the routing rules here.  This file makes it possible to
   have servers behind the firewall, with private IP addresses, accessible
   from the Internet.

   pre.conf : This is parsed and executed as a bash script prior to running
   ipkungfu.

   post.conf : This is parsed and executed as a bash script after ipkungfu
   has completed execution.

   services.conf : Here you keep all of your rules previously defined in
   ipkungfu.conf as ALLOW_TCP_IN and ALLOW_UDP_IN, plus more. Edit the file,
   it's self explanatory.

Manually editing files

 Most people, especially those with very simple configurations, will only
 need to edit /etc/ipkungfu/ipkungfu.conf if anything at all.  As of 0.5.1
 ipkungfu does a lot of detecting and guessing for the main configuration
 parameters unless you specify their values in ipkungfu.conf.  This should
 work for most people.  To go over the list of variables as ipkungfu
 knows them, run ipkungfu --show-vars.  If anything looks wrong, edit the
 appropriate configuration file accordingly.

 A "#" is a comment. When a line begins with #, the whole line is ignored. If
 you want enable an option in a configuration file that is commented out,
 simply remove the leading #. If you wish to remove an option, place a #
 in front of that line.

 Note that anytime you edit a configuration file, you MUST rerun the script
 as outlined below in order for changes to take effect.

Running the script

 Now that you have ipkungfu configured, you must run the ipkungfu script as
 root to enable the firewall.

        /usr/local/sbin/ipkungfu
        
        or, if /usr/local/sbin is in your PATH, simply

        ipkungfu

        or, if your system is chkconfig-compatible, try

        /etc/init.d/ipkungfu start

        or

        /etc/rc.d/init.d/ipkungfu start

        
 You should see several lines explaining what is being done,
 unless you started ipkungfu using the init script.

 If you would like ipkungfu to start at boot time, and your system is
 chkconfig compatable, then do (as root)

        chkconfig --level 2345 ipkungfu on

  This turns ipkungfu on for runlevels 2, 3, 4 and 5. Put whatever levels you
  like, with the obvious exceptions of levels 0, 1 or 6.

 
 That's it! You can check to verify that the firewall is loaded:

        ipkungfu -c or --check

 You can also check to see if the firewall is running by

        ipkungfu -l or --list
        
 You should see several lines or pages of chains and rules.
 If you only see a few lines, or an error message, then the firewall
 is probably not enabled.

 Any time you make a change to any of your configuration files, you MUST run
 ipkungfu again for your changes to take effect.

Troubleshooting

 Most problems can be resolved by checking your settings in your configuration 
 files.
 Many users overlook certain settings, so you may want to double-check them to 
 be sure.
 Remember to run ipkungfu again (/usr/local/sbin/ipkungfu) after making any 
 changes to the configuration files (located in /etc/ipkungfu/).
 Please see the FAQ for more troubleshooting issues and resolutions. If all 
 else fails, you can ask for help via IRC at: irc.freenode.net channel
 #ipkungfu, or use the users mailing list show on the top of this document.

Authors

  • Rocco Stanzione's
  • David Asuncion Gerona, Tarlac, Philippines
  • fishfillet (Ubuntu fourm)

References

firewall/ipkungfu (last edited 2009-04-30 21:52:37 by adsl190-027000006)