What is ipkungfu?
Ipkungfu is an iptables-based Linux firewall. The primary design goals are security, ease of use, and performance, in that order. It takes advantage of advanced features of iptables and the Linux kernel. Ipkungfu can handle a wide array of configurations, and supports Internet connection sharing, multiple virtual hosts, IP forwarding, IP masquerading, configurable logging, string matching and much more. It is designed with both the novice and the expert in mind with its simple configuration interface.
who should use ipkungfu?
Anyone who wishes to simplify the creation of an iptables-based firewall. Additionally, anyone who would like a simple method of configuring a Linux machine to share its Internet connection.
How does it work?
It takes configuration directives from the files in /etc/ipkungfu and uses them, along with some information gathered from your system, to build a firewall using iptables and sysctl. It is primarily an interface to iptables. which in turn is an interface to the Linux kernel's netfilter code.
Install IpKungfu (make sure you have the universe repositories enabled)
sudo apt-get install ipkungfu
Edit /etc/ipkungfu/ipkungfu.conf according to your needs.
sudo nano -w /etc/ipkungfu/ipkungfu.conf
I edited the contents to look like this...
# Please read the README and FAQ for more information # Some distros (most notably Redhat) don't have # everything we need in $PATH so we specify it here. # Make sure modprobe, iptables, and route are here, # as well as ordinary items such as echo and grep. # Default is as shown in the example below. #PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin # Your external interface # This is the one that connects to the internet. # Ipkungfu will detect this if you don't specify. #EXT_NET="eth0" #EXT_NET="eth1" #EXT_NET="ppp0" # Your internal interfaces, if any. If you have more # than 1 internal interface, separate them with # spaces. If you only have one interface, put "lo" # here. Default is auto-detected. #INT_NET="eth0" #INT_NET="eth1" #INT_NET="lo" # IP Range of your internal network. Use "127.0.0.1" # for a standalone machine. Default is a reasonable # guess. LOCAL_NET="192.168.1.0/255.255.255.0" # Set this to 0 for a standalone machine, or 1 for # a gateway device to share an Internet connection. # Default is 1. GATEWAY=1 # TCP ports you want to allow for incoming traffic # Don't add ports here that you intend to forward. # This should be a list of tcp ports that have # servers listening on them on THIS machine, # separated by spaces. Default is none. # ALLOWED_TCP_IN="21 22" # UDP ports to allow for incoming traffic # See the comments above for ALLOWED_TCP_IN #ALLOWED_UDP_IN="" # Temporarily block future connection attempts from an # IP that hits these ports (If module is present) FORBIDDEN_PORTS="135 137 139" # Drop all ping packets? # Set to 1 for yes, 0 for no. Default is no. BLOCK_PINGS=1 # Possible values here are "DROP", "REJECT", or "MIRROR" # # "DROP" means your computer will not respond at all. "Stealth mode" # # "REJECT" means your computer will respond with a # message that the packet was rejected. # # "MIRROR", if your kernel supports it, will swap the source and # destination IP addresses, and send the offending packet back # where it came from. USE WITH EXTREME CAUTION! Only use this if you fully # understand the consequences. # # The safest option, and the default in each case,, is "DROP". Don't change # unless you fully understand this. # What to do with 'probably malicious' packets #SUSPECT="REJECT" SUSPECT="DROP" # What to do with obviously invalid traffic # This is also the action for FORBIDDEN_PORTS #KNOWN_BAD="REJECT" KNOWN_BAD="DROP" # What to do with port scans #PORT_SCAN="REJECT" PORT_SCAN="DROP" # How should ipkungfu determine your IP address? The default # answer, "NONE", will cause ipkungfu to not use the few # features that require it to know your external IP address. # This option is good for dialup users who run ipkungfu on # bootup, since dialup users rarely use the features that # require this, and the IP address for a dialup connection # generally isn't known at bootup. "AUTO" will cause # ipkungfu to automatically determine the IP address of # $EXT_NET when it is started. If you have a static IP # address you can simply enter your IP address here. # If you do port forwarding and your ISP changes your IP # address, choose NONE here, or your port forwarding # will break when your IP address changes. Default is # "NONE". #GET_IP="NONE" #GET_IP="AUTO" #GET_IP="126.96.36.199" # If the target for identd (113/tcp) is DROP, it can take # a long time to connect to some IRC servers. Set this to # 1 to speed up these connections with a negligible cost # to security. Identd probes will be rejected with the # 'reject-with-tcp-reset' option to close the connection # gracefully. If you want to actually allow ident probes, # and you're running an identd, and you've allowed port # 113 in ALLOWED_TCP_IN, set this to 0. Default is 0. #DONT_DROP_IDENTD=0 # Set this to 0 if you're running ipkungfu on a machine # inside your LAN. This will cause private IP addresses # coming in on $EXT_NET to be identified as a spoof, # which would be inaccurate on intra-LAN traffic # This will cause private IP addresses coming in on # $EXT_NET to be identified as a spoof. Default is 1. #DISALLOW_PRIVATE=1 # For reasons unknown to me, ipkungfu sometimes causes # kernel panics when run at init time. This is my # attempt to work around that. Ipkungfu will wait # the specified number of seconds before starting, to # let userspace/kernel traffic catch up before executing. # Default is 0. #WAIT_SECONDS=5 # This option, if enabled, will cause ipkungfu to set # the default policy on all builtin chains in the filter # table to ACCEPT in the event of a failure. This is # intended for remote administrators who may be locked # out of the firewall if ipkungfu fails. A warning to # this effect will be echoed so that the situation can be # rectified quickly. This is the same as running # ipkungfu with --failsafe. Default is 0. #FAILSAFE=0
This conf file could be left in the default state e.g. zero configuration "out of the box" setup and ipkungfu will try and guess the correct firewall setup. Chances are that you will need to manually configure this file.
In this example the file has been manually configured:
Gateway Local_Net Block_Pings
Suspect Known_Bad Port Scan
settings to DROP.
Redirect ports on the Host machine. Format is:
where direction is internal or external and is optional. Should traffic coming from the internal network be affected (internal) or traffic from the internet (external)? Leave empty to apply to all traffic.
To forward port 80 requests to the squid proxy server port, I opened /etc/ipkungfu/redirect.conf:
sudo nano -w /etc/ipkungfu/redirect.conf
...and changed the line
#tcp:80:3128:internal # transparent squid proxy
tcp:80:3128:internal # transparent squid proxy
Enable on Reboot
To start ipkungfu everytime the computer boots up, I opened /etc/default/ipkungfu:
sudo nano -w /etc/default/ipkungfu
... and change the line "IPKFSTART = 0" to "IPKFSTART=1".
I tested the firewall with the ShieldsUp test at grc.com and it passed with flying colors.
I also tested transparent squid proxy by taking a peek at /var/log/squid/access.log...
sudo tail -f /var/log/squid/access.log
...and there I saw all PCs in our LAN browsing the net, without them knowing that they were actually proxied.
That's it! I have a firewall and router, I was able to forward port 80 requests to the squid proxy server, and I was able to make ipkungfu ran on bootups!
The ReadMe and FAQ can be found at
IPKungFu man page available after installation
Command line options
-t or --test Test the configuration, listing some of the optional kernel support installed, the interfaces in use, IP addresses, whether or not you have chosen IP forwarding, IP masquerading, subnet and ports you have chosen to allow. -d or --disable Disables the firewall and sets the default policies back to ACCEPT. Internet connection sharing is not disabled. -h or --help Displays all options available to ipkungfu. -v or --version Displays the version number of ipkungfu and exits. -l or --list Displays the iptables rule sets and exits. -c or --check Check to see if ipkungfu is loaded and display if it is in disable mode or panic mode if either. -f or --flush Flush all iptables rules and delete custom chains. This completely takes down the firewall, and will also disable Internet connection sharing. --panic Panic mode. All internal and external access is denied. Nothing is allowed, in or out. --quiet Runs ipkungfu with no standard output. --show-vars Shows main configuration options (whether specified or auto detected) and exits. --failsafe If ipkungfu fails, default policy for all builtin chains will revert to ACCEPT. This essentially means the firewall will be disabled if it fails. This is useful for working with ipkungfu remotely, to prevent loss of access to the machine. --no-caching As of version 0.6.0, ipkungfu now supports rules caching support which in case rules haven't changed, will make ipkungfu load way faster. Passing this argument disables this feature.
There are several configuration files, each one corresponding to a specific function or set of functions. Advanced users or those with more complex networks will want to edit most or all of these files. They are located in /etc/ipkungfu/ and are: accept_hosts.conf : IP addresses of hosts or nets to always ACCEPT and optionally the ports they are allowed to access advanced.conf : Configuration settings for advanced users. custom.conf : Here you will find sample rules several sample rules already predefined. This is where you would add any custom rules you want applied to your firewall. This file is parsed first, before any other rules are added by ipkungfu, to ensure that none of ipkungfu's rules override the rules in this file. deny_hosts.conf : You can list IP addresses/subnets:ports:protocols you wish to block completely. This file is parsed before accept_hosts.conf and takes precedence over it. ipkungfu.conf : This is the main configuration file. Edit this file, if nothing else. For most people, this is the only file that needs to be edited to set up a decent firewall, with or without Internet connection sharing. WARNING: ALLOW_TCP_IN and ALLOW_UDP_IN are now deprecated and mantained only for backward compatability. Now use services.conf. log.conf : This file specifies what the firewall will log and the rate at which it is logged. By default, nearly all dropped packets are logged. To turn logging off on a particular item, change the 1 (log) to a 0 (don't log). The default location of the log on most systems is /var/log/syslog. Consult your syslogd configuration to find out where kernel logs are stored. redirect.conf : Use this file to specify where certain traffic should be routed on the SAME machine. If you want to redirect ports that come in on one port, and should go to another, set them up here. There is a single entry here that is commented out by default- tcp:443:10000 which redirects incoming https traffic on port 443 to webmin on port 10000. Please see the file for more information. vhosts.conf : If you have virtual hosts, (servers on machines behind your gateway), define the routing rules here. This file makes it possible to have servers behind the firewall, with private IP addresses, accessible from the Internet. pre.conf : This is parsed and executed as a bash script prior to running ipkungfu. post.conf : This is parsed and executed as a bash script after ipkungfu has completed execution. services.conf : Here you keep all of your rules previously defined in ipkungfu.conf as ALLOW_TCP_IN and ALLOW_UDP_IN, plus more. Edit the file, it's self explanatory.
Manually editing files
Most people, especially those with very simple configurations, will only need to edit /etc/ipkungfu/ipkungfu.conf if anything at all. As of 0.5.1 ipkungfu does a lot of detecting and guessing for the main configuration parameters unless you specify their values in ipkungfu.conf. This should work for most people. To go over the list of variables as ipkungfu knows them, run ipkungfu --show-vars. If anything looks wrong, edit the appropriate configuration file accordingly. A "#" is a comment. When a line begins with #, the whole line is ignored. If you want enable an option in a configuration file that is commented out, simply remove the leading #. If you wish to remove an option, place a # in front of that line. Note that anytime you edit a configuration file, you MUST rerun the script as outlined below in order for changes to take effect.
Running the script
Now that you have ipkungfu configured, you must run the ipkungfu script as root to enable the firewall. /usr/local/sbin/ipkungfu or, if /usr/local/sbin is in your PATH, simply ipkungfu or, if your system is chkconfig-compatible, try /etc/init.d/ipkungfu start or /etc/rc.d/init.d/ipkungfu start You should see several lines explaining what is being done, unless you started ipkungfu using the init script. If you would like ipkungfu to start at boot time, and your system is chkconfig compatable, then do (as root) chkconfig --level 2345 ipkungfu on This turns ipkungfu on for runlevels 2, 3, 4 and 5. Put whatever levels you like, with the obvious exceptions of levels 0, 1 or 6. That's it! You can check to verify that the firewall is loaded: ipkungfu -c or --check You can also check to see if the firewall is running by ipkungfu -l or --list You should see several lines or pages of chains and rules. If you only see a few lines, or an error message, then the firewall is probably not enabled. Any time you make a change to any of your configuration files, you MUST run ipkungfu again for your changes to take effect.
Most problems can be resolved by checking your settings in your configuration files. Many users overlook certain settings, so you may want to double-check them to be sure. Remember to run ipkungfu again (/usr/local/sbin/ipkungfu) after making any changes to the configuration files (located in /etc/ipkungfu/). Please see the FAQ for more troubleshooting issues and resolutions. If all else fails, you can ask for help via IRC at: irc.freenode.net channel #ipkungfu, or use the users mailing list show on the top of this document.
- Rocco Stanzione's
- David Asuncion Gerona, Tarlac, Philippines
- fishfillet (Ubuntu fourm)