# Pietinger's Privoxy and "Personal Firewall" Guide

## Ralphred

Translated from pietinger's post in German here. 

Even in the "wrong language for me" it was easier to follow than the nebulous info searches returned

(This post is part of an installation guide. If you haven't already done so, please read: Installation Guide for Paranoid Dummies )

B.1 Firewall and proxy server (iptables / privoxy)

Most people "only" use a firewall to protect themselves from "outside". This makes sense in any case and is usually necessary. Yes, today's (private) DSL routers also have a FW integrated, which is usually already activated by default. You can see this quickly when you look at the log of your own FW and don't see a single DROP for days, although we all know how many port scans are running continuously. Only - I don't trust a TeleKom Huawei key. In addition, the configuration for protection against the evil Internet is still the simplest part, even if you have to open one or two ports for a server.

Very few use a FW to protect themselves from the enemy "inside" - programs that want to "call home". In this post I will provide the necessary configuration steps for both. But I'll start with the proxy server. Why? Because then the FW is configured in such a way that only the proxy is allowed to visit external web pages. In other words, every program that tries to access the Internet directly via port 80 or 443 is rejected (and logged). The proxy itself can also log all of the pages it visits. There are different proxy servers; I've been using the "Privoxy" for years - because it's simple and only does what I want: to protect myself a little from bad websites. If you want a different proxy (like the squid), use this one. But without a proxy, all of the filtering of outgoing traffic makes no sense, because a "bad" program can then get out via port 443 at any time and you will not notice it. Without a proxy, your FW only protects you from traffic from the Internet.

I. Install and configure Privoxy

See also: https://wiki.gentoo.org/wiki/Privoxy

```
# emerge -avD privoxy

# rc-update add privoxy default

# nano -w /etc/env.d/99myproxy

=>

export http_proxy = "http://127.0.0.1:8118"

export https_proxy = "http: //127.0.0.1: 8118 "

<=

# env-update

# grep privoxy /etc/passwd

-> note the privoxy UID for later
```

Unfortunately, privoxy is very tame and forgiving with it's default configuration. No wonder, only the lowest level of filtering is active. Therefore it has to be made more "aggressive" (at least slightly angry). To do this, a part of the file /etc/privoxy/default.action must be copied to the to the /etc/privoxy/match-all.action file.

```
grep "# Medium settings" -B2 -A59 /etc/privoxy/default.action |sed '/^[\+{}a-z]/s/\(.*\)/#\1/g' >> /etc/privoxy/default.action
```

If you now look at /etc/privoxy/match-all.action, you will see the default settings, with the Medium settings and Advanced settings commented out underneath. Comment/uncomment the settings of your choice (at least medium)

Now you can/should activate the logging, which is also completely switched off by default in /etc/privoxy/config (search for "The available debug levels are" and the debug [number] underneath to set the "log-level")

If you plan to have a blacklist of sites you want blocked, search for "actionsfile user.action" and add your own "actionsfile blacklist.action" underneath it. Don't forget to 

```
touch /etc/privoxy/blacklist.action
```

 after saving.

Finished. Privoxy can be started immediately with "/etc/init.d/privoxy start".

II. Install and configure iptables

This is a little more effort. First you should have ALL the FW modules enabled in the kernel (and of course also compiled). Commonly, you can only get to all of them when the following is set:

```
Networking support> Networking options> Network packet filtering framework (Netfilter)

[*] Advanced netfilter configuration
```

And it's from these "hidden options" that we will need for later:

```
Networking support> Networking options> Network packet filtering framework (Netfilter)> Core Netfilter Configuration

[M] "owner" match support

[M] "state" match support
```

How does our firewall work, very simple: Everything is forbidden unless expressly allowed. If you do not operate a server, incoming traffic is only let through when packets belong to an already existing connection; anything that wants to establish a new unsolicited connection will be dropped. As I said, the easiest part.

Unfortunately, we want to call outside as well. We have to allow all of this individually. But don't panic, it's not that much either, as most of it runs through our Privoxy. What else do we need? DNS, email, possibly SSH.

One more word on the subject of "script that activates the FW rules". Some demonize this approach because it is said (under certain circumstances) to be absolutely unsafe. Yes, but not in this - simple - case that I use. If everything is locked first and then, little by little, some things are unlocked, aborting a script (due to typing errors or missing kernel module, for example) is not critical because then nothing is unlocked anymore. If it breaks off at the beginning in the variable definition, the previous FW configuration does not change at all. Oh yes, another hint: /etc/init.d/iptables itself backs up the FW config and loads it automatically when booting. This means that the script only has to be executed once; or run again when you change/add something.

So, let's start now. First, as always, a link:

https://wiki.gentoo.org/wiki/Iptables

```
# emerge -avD iptables

- gather some information for needed services; eg ping your email provider

- search for your used DNS server in ->

# less /etc/resolv.conf

- search for your used NTP server in ->

# less /etc/conv.d/ntp-client

- ping all of them to get their IP address

# cd /etc/MY

# nano -w fwrules-big.sh

! copy/paste from below and edit some variables

! if your are unsure comment out some lines with #

- save and exit

# chmod 0700 fwrules-hal.sh

# ./fwrules-hal.sh

- check if there where an error, then check your new konfig with ->

# iptables -L -v -n

- dont wait until the next shutdown and save the config right now, with:

# /etc/init.d/iptables save

# rc-update add iptables default

OPT:

# rc-update add sshd default

# lsmod

-> write down the used modules (you already know this from A.2)
```

Before you use this skeleton, you should at least read the meaning of certain parameters with "man iptables" ... and check every single line (you are certainly using different servers than me). Also read what the difference between DROP and REJECT is ...

```

#!/bin/sh

#

# 2017.02.10: Initial FireWall-Script for: big

# 2017.02.15: allow out server wesnoth game

#

### Defines ###

# define general logging

logit = "-j LOG --log-prefix "

# define privoxy uid from /etc/passwd

privoxy_uid =" -uid-owner [number]"

# change this [number] TO YOUR UID

# define addresses

ip_gw =" 192.168.2.1 "# My DSL router

ip_dns1 =" abcd " # free dns-server1: xxxxxx

ip_dns2 = "abcd" # free dns-server2: xxxxxx

ip_ntp = "192.53.103.108" # time-server: ptbtime1.ptb.de

ip_hal = "192.168.2.3" # local Notebook hal

ip_guest = "192.168.2.101" # if Notebook boots with dhcp

# ip_dnssec1 = "185.95.218.42" # free dns-server: digital society (CH)

# ip_dnssec2 = "185.95.218.43" # free dns-server: digital society (CH )

### Basic Settings ###

iptables -F

iptables -X

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -m conntrack --ctstate ESTABLISHED, RELATED -j ACCEPT

iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED, RELATED -j ACCEPT

### Firewall In ###

# accept some ICMP (or comment out if not desired)

iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT

# accept SSH IN from notebook hal without logging

iptables -A INPUT -s $ {ip_hal} -p tcp --dport 22 -j ACCEPT

# accept and log SSH IN from guest

iptables -A INPUT -s $ {ip_guest} -p tcp --dport 22 ${logit} "!!! ACCEPT IN SSH GUEST"

iptables -A INPUT -s $ {ip_guest} -p tcp --dport 22 -j ACCEPT

# drop some stuff (if you have WINDOWS in your network) without logging

#iptables -A INPUT -p udp --dport 137 -j DROP # netbios-ns

#iptables -A INPUT -p udp --dport 138 -j DROP # netbios-dgm

#iptables -A INPUT -p udp --dport 67 -j DROP

#iptables -A INPUT -p udp --dport 68 -j DROP

iptables -A INPUT -p 2 -j DROP # stuff from router

# drop some stuff from dnssec-servers without logging

#iptables -A INPUT -s ${ip_dnssec1} -j DROP

#iptables -A INPUT -s ${ip_dnssec2} -j DROP

# drop some bad sites/ranges without logging

#iptables -A INPUT -s a.b.c.d -j DROP

#iptables -A INPUT -s a.b.c.d/e -j DROP

# log all other

iptables -A INPUT $ {logit} "!!! DROP"

# we dont need an extra DROP, because the standard action for INPUT is DROP (see above: "iptables -P OUTPUT DROP")

### Firewall Out ###

# accept all https / http (maybe we need sometimes http-alt ) from privoxy

iptables -A OUTPUT -p tcp --dport 443 -m owner ${privoxy_uid} -j ACCEPT

iptables -A OUTPUT -p tcp --dport 80 -m owner ${privoxy_uid} -j ACCEPT

#iptables -A OUTPUT -p tcp --dport 8080 -m owner ${privoxy_uid} -j ACCEPT

#iptables -A OUTPUT -p tcp --dport 8085 -m owner ${privoxy_uid} -j ACCEPT

# accept dns

iptables -A OUTPUT -d ${ip_dns1} ​​-p udp --dport 53 -j ACCEPT

iptables -A OUTPUT -d ${ip_dns1} ​​-p tcp --dport 53 -j ACCEPT

iptables -A OUTPUT -d ${ip_dns2} -p udp --dport 53 -j ACCEPT

iptables -A OUTPUT -d ${ip_dns2} -p tcp --dport 53 -j ACCEPT

# accept dnssec

#iptables -A OUTPUT -d ${ip_dnssec1} -p tcp --dport 853 -j ACCEPT

#iptables -A OUTPUT -d ${ip_dnssec2} -p tcp --dport 853 -j ACCEPT

# Here you have to edit something

# accept mail

#iptables -A OUTPUT -d a.b.c.d -p tcp --dport 995 -m comment --comment "pop3s" -j ACCEPT

#iptables -A OUTPUT -d a.b.c.d/24 -p tcp --dport 587 -m comment --comment "smtp submit" -j ACCEPT

#iptables -A OUTPUT -d a.b.c.d/24 -p tcp --dport 465 -m comment --comment "smtps" -j ACCEPT

# accept ntp to time-server

iptables -A OUTPUT -d ${ip_ntp} -p udp --dport 123 -j ACCEPT

# accept irc to XXXXXXX

#iptables -A OUTPUT -d a.b.c.d -p tcp --dport 6697 -j ACCEPT

# accept server wesnoth

iptables -A OUTPUT -d 95.217.86.148 -j ACCEPT

# accept pings

iptables -A OUTPUT -p icmp --icmp-type 8/0 ${logit} "!!! ACCEPT OUT PING"

iptables -A OUTPUT -p icmp --icmp-type 8/0 -j ACCEPT

# accept and log ssh only to my stations in my local network

iptables -A OUTPUT -d 192.168.2.0/24 -p tcp --dport 22 ${logit} "!!! ACCEPT OUT SSH"

iptables -A OUTPUT -d 192.168.2.0/24 -p tcp --dport 22 -j ACCEPT

# accept and log hkp (pgp-key-server)

iptables -A OUTPUT -p tcp --dport 11371 ${logit} "!!! ACCEPT OUT HKP"

iptables -A OUTPUT -p tcp --dport 11371 -j ACCEPT

# accept and log traceroute

iptables -A OUTPUT -p udp --dport 33434: 33524 ${logit} "!!! ACCEPT OUT TRCR"

iptables -A OUTPUT -p udp --dport 33434: 33524 -j ACCEPT

# accept and log rsync (should be portage from gentoo only)

iptables -A OUTPUT -p tcp --dport 873 ${logit} "!!! ACCEPT OUT RSYNC"

iptables -A OUTPUT -p tcp --dport 873 -j ACCEPT

# accept and log whois

iptables -A OUTPUT -p tcp --dport 43 ${logit} "!!! ACCEPT OUT WHOIS"

iptables -A OUTPUT -p tcp --dport 43 - j ACCEPT

############################################## ###

# for testing only !!!

# accept and log all https

#iptables -A OUTPUT -p tcp --dport 443 ${logit} "!!! ACCEPT OUT ALL HTTPS"

#iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

# for testing only !!!

# accept and log all http

#iptables -A OUTPUT -p tcp --dport 80 ${logit} "!!! ACCEPT OUT ALL HTTP"

#iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

# for testing only !!!

# accept and log all (dont use !!!)

#iptables -A OUTPUT ${logit} "!!! ACCEPT OUT ALL"

#iptables -A OUTPUT -j ACCEPT

############# #####################################

# Reject some stuff without logging

#iptables -A OUTPUT -d a.b.c.d -j REJECT

#iptables -A OUTPUT -d a.b.c.d -j REJECT

# reject and log all other

iptables -A OUTPUT ${logit} "!!! REJECT"

iptables -A OUTPUT -j REJECT
```

You can now search for "!!!" in the kernel log. search to check all messages of your FW; or specifically only after "DROP", "ACCEPT" or "ACCEPT IN" / "ACCEPT OUT". Anyway, I recommend checking your /var/log/ messages more often (alias: "mylog" from A.3.3).

With "iptables -Z" you can reset the counters of the packets to zero and then with "iptables -L -v -n" you can look up again which counters from which rules go up again.

Last but not least, you should also tell your favourite browser about the new proxy. My "falkon" even noticed this automatically and I didn't have to tell it anything. If you use "wget", it might also be necessary to configure the proxy (today's wget reads the environment variables and then takes over the proxy settings itself). But don't worry, from now on you will immediately see if someone wants to get out ... but can't ...

Have fun.

Last edited by pietinger on Fri May 07, 2021 12:54 am; edited 23 times in total

----------

## Ralphred

Comments from me: Google translate made a real mess of the code sections, I think I've repaired it all.

I didn't use the firewall script, as I deployed privoxy on a router, but pietinger has done such a good job of a "personal firewall" script I felt loathe to leave it out of the translation.

The bit that wasn't covered in the original post was the blacklist.action file, which I shall cover now.

```
#Everything beyond the +block directive won't make it back into your network beyond the proxy.

{+block}

# block www.doubleclick.net

www.doubleclick.net

# block *.googlesyndication.com

.googlesyndication.com

# block *.ads.google.*

.ads.google.
```

And it's that simple.

It's not as good as blocking them at the IP level in the firewall, but if you are running a network without role based access control and multiple users it's a nice little addition.

It's also worth noting there is whiltelist option, you create the files in the same way as blacklist, and using the same syntax, only the opening directive is 

```
{-block}
```

The last option is the trustfile, this is well documented in /etc/privoxy/trust, seems like a nifty little feature, so read it all.

----------

## figueroa

+1 -- Can't wait to study it further.

----------

## kukibl

Thank you very much for this.

----------

## pietinger

Ralphred,

thank you very much for translating and extending it !

I want add a little Info:

In my german Thread I added some posts in (my poor school) english explaining some points of a firewall; (IMO) most important the section about "stateful inspection" you will find with this direct link:

https://forums.gentoo.org/viewtopic-p-8465650.html#8465650

Many Greetings,

Peter

P.S.: (The first german sentence in this post says: "I've answered some questions in other threads and thought I'd collect this here. Maybe it will help one or the other. (Please don't laugh at my bad English)")

----------

