# Firewall Script?

## Carrion

Hi again,

I was just wondering if there's a firewall script or anything that can be used for Gentoo to prevent intruders in a public network from like a Starbuck's or other places (my own university's library is one I'm very paranoid of).

Please note: I am a paranoid person when it comes to computer security (but nothing else really).

----------

## Goverp

If I understand correctly, UFW comes with a default configuration to do that, and looks pretty simple to open services if you need to.

That said, I installed it, and it appeared to be blocking outgoing connections as well as incoming, which was a bit too secure  :Embarassed:    I obviously don't understand correctly, and not had time to sort it out.

----------

## Bones McCracker

There are lots of packages that help you build and maintain a firewall.

http://gpo.zugaina.org/net-firewall

A couple of those that might be good for you are 'firehol' and 'ufw'.

You might enjoy building your own, though, in iptables (which is the userspace program for directly configuring netfilter).  Building your own will teach you a lot.  You can google for information about iptables.  You can find some gentoo specific stuff as well.

----------

## Carrion

Thank you both for introducing me to UFW. It does seem to be quite complex but at the same time it seems to be a very strong firewall.

I was actually wondering if netfilter.org is possible to use as a firewall generator (technically iptables). I am still new to the concept of networking so I'm sorry if I seem like a clumsy oaf.

----------

## Bones McCracker

Yes, that's what I meant above about iptables.

Iptables is the user interface to netfilter, which is part of the kernel.  Most people just refer to using netfilter as using iptables, though.

You can enter iptables commands directly at the command prompt, or you can write a script (which is useful because it takes numerous iptables commands to properly set up a firewall).  Individual iptables commands tell netfilter things like "let in traffic to port 12345" and "don't let any other traffic in".

Then, when you start up your computer, your iptables script runs and sets up netfilter for you.  However, iptables can also save the set of rules that are currently running, and iptables can load a set of rules that have been previously saved.  So, once you've built a set of iptables rules, you really don't need an 'iptables' script, other than to tell iptables to load the saved rules when the computer starts.

Scripts that run when you start your computer are 'init-scripts', and on Gentoo, they're found in /etc/init.d/.  When you emerge iptables, such a script is installed for you, at /etc/init.d/iptables.  That initscript will load whatever iptables rules have been saved.  This setup kind of assumes you have built your own iptables rules, like you are talking about.

So you can go that route, and just learn a little about iptables first.  It's pretty easy if you understand basic networking stuff, and if you don't, it's a good way to learn.  There are numerous iptables tutorials, and there are several gentoo-related iptables tutorials and howtos.  You can find these by googling.

You can probably also find a simple script that somebody else has written to provide a simple firewall for a host (as opposed to a firewall for a network, which would typically run on a router).  Then, you can explore that, figure it out, tinker with it, and later modify or expand it as needed.

Most of the other firewall tools for linux, such as firehol, ufw, shorewall, and the like, simply produce a firewall script for you (one that includes all of the individual iptables commands).  The basic idea of such tools is to provide a simpler interface.  You fill out some kind of configuration file(s) that they think are easier to work to with than actual iptables rules.  Then, their program converts the config files into a script of actual iptables commands.  You run that script, and the rules are loaded.

Some of these tools will come with their own initscript for loading and saving the rules.  Or, once the rules are loaded, you can just use the iptables initscript provided by Gentoo to load them when you boot up (and optionally, to save them again each time when you shut down, which is useful if your frequently make changes).

Some of these tools are simple, and some are powerful.  For starters, and just for securing an individual laptop or desktop, you probably want simple.

However, even the simplest do require some level of understanding of networking and firewalls.  The best way to get that is to read a bunch of tutorials about iptables and experiment with making your own simple firewall.  Once you've got the basics down, you might then want to use one of these other tools.

Other people will offer various views on this and recommend their favorite tools, and my suggestions here are just one opinion.  Have fun!   :Smile: 

----------

## mimosinnet

 *BoneKracker wrote:*   

> You might enjoy building your own, though, in iptables (which is the userspace program for directly configuring netfilter).  Building your own will teach you a lot.  You can google for information about iptables.  You can find some gentoo specific stuff as well.

 

I very much agree. I used shorewall for some time. The problem was, as BoneKracker points out, that I was not understanding what shorewall was doing. After moving to gentoo I found this script in the gentoo wiki. The article not only gives you the script, but also explains in detail how the script is build. I have successfully adapted this script to different machines, including laptops and servers. 

Cheers!

----------

## Carrion

I'm reading the Gentoo-wiki article now. It is very helpful, and thank you both again.

----------

## gringo

arnos firewall script is nice too and it is available in portage as net-firewall/arno-iptables-firewall.

cheers

----------

## mimosinnet

 *Carrion wrote:*   

> I'm reading the Gentoo-wiki article now. It is very helpful, and thank you both again.

 

I have found that article very helpful in learning how to design rules, and I have moved the original article from the old wiki to this new one. Please, let me know if there is something that is not clear or could be improved.

Cheers!

----------

## Bones McCracker

It's good to start with a simple script that is understandable.

----------

## cach0rr0

 *BoneKracker wrote:*   

> It's good to start with a simple script that is understandable.

 

++

Something as simple as this is more than enough to build on

```

#!/bin/bash

echo Starting.....

echo flush\ all\ chains

iptables -F

# set the default policy for each of the pre-defined chains

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

# uncomment these two to allow ping

# iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT

# iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

# allow establishment of connections initialised by my outgoing packets

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow local

iptables -A INPUT -i lo -j ACCEPT

# only these are open to the world. Uncomment and duplicate to add allowed inbound ports

#iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

# Drop everything not explicitly allowed above

iptables -A INPUT -i eth0 -j DROP

echo Finished...

```

that's what, 6, 7 meaningful lines of stuff?

----------

## Goverp

To wake an earlier part of this thread:

 *Goverp wrote:*   

> ... UFW comes with a default configuration ...
> 
> That said, I installed it, and it appeared to be blocking outgoing connections as well as incoming, which was a bit too secure  ...

 

I've sorted out what was wrong.  Not surprisingly, UFW requires several kernel netfilter modules.

The kernel configuration flag NETFILTER_XT_MATCH_ADDRTYPE  changed at version 2.6.39.  The UFW ebuild checked the required flags when I installed it against 2.6.38 or thereabouts, but moving to kernel 3 broke it silently.  Reinstalling UFW generated the appropriate setup error, and now I've fixed the kernel config, UFW works as expected.  I'm using the default rule set, allow outbound, deny inbound.  Job done.

----------

