The abyle-firewall iptables script is one of a million iptables scripts out there, it was developed for fun and learning some python basics.
Add the following to your sources.list or sources.list.d:
deb http://apt.abyle.org/apt wheezy main
echo "deb http://apt.abyle.org/apt wheezy main" > /etc/apt/sources.list.d/abyle.list
to get rid of the gpg-key warnings add the abyle key as trusted:
curl http://apt.abyle.org/apt/packages.abyle.key | apt-key add -
install the abyle-firewall with
apt-get update apt-get install abyle-firewall
root@stat:~# apt-get install abyle-firewall Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libxslt1.1 python-lxml Suggested packages: python-lxml-dbg Recommended packages: abyle-frontend The following NEW packages will be installed: abyle-firewall libxslt1.1 python-lxml 0 upgraded, 3 newly installed, 0 to remove and 12 not upgraded. Need to get 1,536 kB of archives. After this operation, 5,242 kB of additional disk space will be used. Do you want to continue [Y/n]?
The first dialog asks you about interface exclusions there may be reasons to exclude some interfaces, e.g. lo (you don't want to block something on your local loopback).
so the default is exclude “lo” only.
if you have/use more than one interface, I guess you will need it. :)
So what do we have after the installation described above? Well, not very much, you should have a script called “abyle-firewall” in your path, you should have an init-script in /etc/init.d/ called “abyle-firewall” and of course there should be a configuration directory /etc/abyle-firewall, in short:
# dpkg -L abyle-firewall
/usr /usr/share /usr/share/doc /usr/share/doc/abyle-firewall /usr/share/doc/abyle-firewall/copyright /usr/share/doc/abyle-firewall/changelog.gz /usr/sbin /usr/sbin/abyle-firewall /usr/lib /usr/lib/python2.7 /usr/lib/python2.7/dist-packages /usr/lib/python2.7/dist-packages/abyle-firewall.pth /usr/lib/python2.7/dist-packages/abyle-firewall /usr/lib/python2.7/dist-packages/abyle-firewall/abyle_xmlparser.py /usr/lib/python2.7/dist-packages/abyle-firewall/abyle_config_xmlwriter.py /usr/lib/python2.7/dist-packages/abyle-firewall/abyle_log.py /usr/lib/python2.7/dist-packages/abyle-firewall/abyle_firewall.py /usr/lib/python2.7/dist-packages/abyle-firewall/abyle_execute.py /usr/lib/python2.7/dist-packages/abyle-firewall/abyle_config_xmlparser.py /usr/lib/python2.7/dist-packages/abyle-firewall/abyle_output.py /usr/lib/python2.7/dist-packages/abyle-firewall/abyle_changelog_xmlparser.py /usr/lib/python2.7/dist-packages/abyle-firewall/reindent.py /etc /etc/init.d /etc/init.d/abyle-firewall /etc/abyle-firewall /etc/abyle-firewall/template /etc/abyle-firewall/template/interface /etc/abyle-firewall/template/interface/config.xml /etc/abyle-firewall/template/interface/rules.xml /etc/abyle-firewall/config.xml /etc/abyle-firewall/iptables_flags.xml /etc/abyle-firewall/rules.xml
The first test after the installation is to run abyle-firewall and take a look on it's output:
# abyle-firewall -i
So as you can see, all tables are empty (of course the tables will not be empty if you already have inserted rules by hand or with other scripts), the output should be colorful if your terminal is supporting color codes.
Now we take a look at the config directory, as mentioned above /etc/abyle-firewall
# ls -l /etc/abyle-firewall -rw-r--r-- 1 root root 5721 Apr 30 00:33 config.xml # global configuration file -rwxr-xr-x 1 root root 3718 Mar 2 10:13 iptables_flags.xml # abyle-firewall to iptables translation -rwxr-xr-x 1 root root 970 Mar 2 10:07 rules.xml # global rules drwxr-xr-x 4 root root 4096 Apr 30 00:33 template # template directory
First let us adjust some defaults in the global configuration (/etc/abyle-firewall/config.xml)
there is a bug in the current package, so please adjust the following setting:
also take a look at the <protect> </protect> section, the interfaces (<interface>) within this section will be handled by abyle-firewall, keep in mind that traffic to any unlisted interface will be blocked if you start the abyle-firewall script.
if you have decided to turn off routing (ipv4forward), this config is the right place, just adjust:
The next step is to create a config-directory for each interface you could do this by hand and copy the “template” directory to a directory named like the interface name (in a subdirectory called interfaces), or you could use the -t arg and let abyle-firewall do this for you:
# abyle-firewall -t root :: copy template config for all existing interfaces! existing configs will be moved to /etc/abyle-firewall/.old root :: copy default config
the result should look like:
# tree /etc/abyle-firewall/ /etc/abyle-firewall/ ├── config.xml ├── interfaces │ ├── eth0 │ │ ├── config.xml │ │ └── rules.xml │ └── lo │ ├── config.xml │ └── rules.xml ├── iptables_flags.xml ├── rules.xml └── template └── interface ├── config.xml └── rules.xml 5 directories, 9 files
So now we have a default global config, a default interface config for each interface, let's try to start abyle-firewall and take a look at the tables again:
The tables are now filled by some basic default rules, the default configuration for a new configured/protected interface is to allow all (just because you don't want to lock yourself out).
so, lets say eth0 is our public interface, we want to secure this interface, cd to it's configuration directory
for each interface there are 2 config files, the config.xml and the rules.xml, let's take a look at the config:
# more config.xml <root> <antispoofing>yes</antispoofing> <logging>no</logging> <allowping>yes</allowping> <masquerading>no</masquerading> <portforwarding>no</portforwarding> <transparent_proxy>no</transparent_proxy> <proxyarp>no</proxyarp> <sourcerouting>no</sourcerouting> <icmpredirects>no</icmpredirects> <secureicmpredirects>no</secureicmpredirects> <martianslogging>no</martianslogging> <drop0slash8packets>no</drop0slash8packets> </root>
to handle an
outside interface I would suggest to adjust the config to:
<allowping>no</allowping> <masquerading>no</masquerading> <drop0slash8packets>yes</drop0slash8packets>
<interface> <rules> <!-- allow all by default --> <traffic chain="block" job="ACCEPT" state="NEW"></traffic> </rules> <portforwarding> <!-- example rule for portforwarding, forward incoming traffic on this interace on port 2222 TCP to 192.168.0.245 port 22 tcp --> <traffic chain="PREROUTING" job="DNAT" table="nat" forward-port="2222" destination="192.168.0.245" destination-port="22" protocol="tcp"/> </portforwarding> <transparentproxy> <!-- example rule for HTTP transparent proxy / enable/disable in config.xml --> <traffic chain="PREROUTING" job="REDIRECT" table="nat" forward-port="80" destination="0/0" destination-port="3128" protocol="tcp"></traffic> </transparentproxy> <logging> </logging> <masquerading> <!-- example rule for masquerading / enable/disable in config.xml --> <traffic chain="POSTROUTING" job="MASQUERADE" table="nat"/> </masquerading> </interface>
let's concentrate on the rules section (<rules></rules>) as you can see the default rule which allows any traffic to pass is active, delete this line, and replace it with one which only allows ssh traffic to get through:
<traffic chain="INPUT" job="ACCEPT" state="NEW" source="0/0" protocol="tcp" destination="0/0" destination-port="22"/>
save the files and just run “abyle-firewall -s” again, the table should now look like:
If you've read the above, you maybe ask yourself, why should I use this intricately piece of software with it's atypical xml-configuration files, well I have some answers why I am still using it:
If you have two interfaces, one
inside and one
outside, and just want to block everything from the
outside, do a
masquerade and that's it, then a bunch of iptables lines in a bash script would probably be the better choice, but if you have 10 tun interfaces for vpn, multiple outside interfaces, e.g. for multiple internet-providers, multiple inside interfaces e.g. in different vlans, like I have, the management of the security in a simple bash-script could be tricky, that was one of the main reasons why abyle-firewall was developed, to concentrate on each interface and keep the possibility to clone a configuration from one interface to an other.
Another feature is that you could easily copy your interface configuration from one host to another without changes, so if you have 50 servers in your farm which need the same iptables configuration for eth0 just rsync them, server specific interfaces can still be configured independent.
You just dont need to care about the creation of tables, the flushing of tables and the right order of iptables commands,
abyle-firewall -b will always blow away every iptables configuration, and
abyle-firewall -s will protect you if you have you configured everything correctly.
Besides the explained <rules> section in the interface rules.xml there also exists a <portforwarding>, <transparentproxy> and <masquerading> section, so if you want to enable one of this features you just have to enable it in the config.xml and the defined portforwarding, transparentproxy and masquerading rules in your rules.xml will be applied after the next restart.
you don't have to fire several iptables -L commands to get an overview, just execute abyle-firewall -i
everything will be logged to /var/log/abyle.log e.g:
... Thu, 01 May 2014 11:43:50 firewall INFO ipv4 send TCP-RST on full buffer is deactivated Thu, 01 May 2014 11:43:50 firewall INFO ipv4 reply to ICMP Broadcasts is deactivated Thu, 01 May 2014 11:43:50 firewall INFO ipv4 dynamic address hack deactivated Thu, 01 May 2014 11:43:50 firewall INFO ipv4 forwarding activated Thu, 01 May 2014 11:43:50 firewall INFO syncookie activated Thu, 01 May 2014 11:43:50 firewall INFO default-rule: -N block Thu, 01 May 2014 11:43:50 firewall INFO default-rule: -A block -j ACCEPT -m state --state ESTABLISHED,RELATED Thu, 01 May 2014 11:43:50 firewall-rule INFO sit0 -i sit0 -A INPUT -j ACCEPT Thu, 01 May 2014 11:43:50 firewall-rule INFO lo -i lo -A INPUT -j ACCEPT Thu, 01 May 2014 11:43:50 firewall-rule INFO lo -i lo -A INPUT -j ACCEPT Thu, 01 May 2014 11:43:50 abyle-firewall INFO /etc/abyle-firewall/interfaces/eth0/config.xml is a well-formed xml Thu, 01 May 2014 11:43:50 abyle-firewall INFO proxy arp deactivated for eth0 Thu, 01 May 2014 11:43:50 abyle-firewall INFO allow source routing deactivated for eth0 Thu, 01 May 2014 11:43:50 abyle-firewall INFO icmp redirects deactivated for eth0 ... * secure icmp ping
if you enable your interface to be pingable, it doesn't allow every icmp type, just the ones needed to be pingable.
changing the configuration within xml files by hand is not quite fun, but parsing them with python is really a pain in the ass, maybe the decision to use xml was the biggest mistake but the decision was made because there was/is an web-interface written in php, so we wanted to be language independent, somehow the xml-hype years ago made us believe that this could only be done by using xml, well as mentioned maybe the biggest mistake. :)
yes we have a complete rewrite on our minds all the time, but the lack of muse and need embarrasses us from doing it. if we do it, there will be no xml, we will support ipv6 and logging of traffic will work in a more logic way.
Since the initial release (2005) some special setups required some basic plugin/extension hacks, right now they are implemented as standalone scrips or binaries.
For example if you want to execute some special rules which couldn't be done by abyle-firewall like marking with MARK, it's tricky to get these rules in, inserting them with
iptables -I would but them above all rules, inserting them with
iptables -A would append them on the bottom, anyhow mostly this is not what you want, so the extensions of abyle-firewall are doing nothing more or less than executing them at the right time to get them ordered.
A second example is the restart or start of a service upon restart of the firewall, for example if you have a dialup connection with a dynamic ip-address you maybe want to restart your firewall after a reconnect and after the restart of the firewall you want to restart a service like openvpn or danted.
Abyle-firewall will create s special chain named TRIGGERFORWARD which allows you to configure portforwarding from outside to inside based on configured inside to outside connection (something like upnp port-forwarding)
Setup configuration and rules to use a dual isp configuration.
Stop/start reconfigure danted (socks5 proxy) on startup of abyle-firewall.
Configure Linux Traffic Shaping on startup oof abyle-firewall.