User Tools

Site Tools


abyle-firewall:start

Abyle-Firewall

Intro

The abyle-firewall iptables script is one of a million iptables scripts out there, it was developed for fun and learning some python basics.

Source

Installation (wheezy)

Add the following to your sources.list or sources.list.d:

 deb http://apt.abyle.org/apt wheezy main
 

e.g.:

 echo "deb http://apt.abyle.org/apt wheezy main" > /etc/apt/sources.list.d/abyle.list
 

to get rid of the gpg-key warnings add the abyle key as trusted:

 curl http://apt.abyle.org/apt/packages.abyle.key | apt-key add -
 

install the abyle-firewall with

 apt-get update
 apt-get install abyle-firewall
 

Dependencies:

 root@stat:~# apt-get install abyle-firewall
 Reading package lists... Done
 Building dependency tree       
 Reading state information... Done
 The following extra packages will be installed:
   libxslt1.1 python-lxml
 Suggested packages:
   python-lxml-dbg
 Recommended packages:
   abyle-frontend
 The following NEW packages will be installed:
   abyle-firewall libxslt1.1 python-lxml
 0 upgraded, 3 newly installed, 0 to remove and 12 not upgraded.
 Need to get 1,536 kB of archives.
 After this operation, 5,242 kB of additional disk space will be used.
Do you want to continue [Y/n]? 

The first dialog asks you about interface exclusions there may be reasons to exclude some interfaces, e.g. lo (you don't want to block something on your local loopback).

so the default is exclude “lo” only.

if you have/use more than one interface, I guess you will need it. :)

Post-Installation

So what do we have after the installation described above? Well, not very much, you should have a script called “abyle-firewall” in your path, you should have an init-script in /etc/init.d/ called “abyle-firewall” and of course there should be a configuration directory /etc/abyle-firewall, in short:

 # dpkg -L abyle-firewall
 /usr
 /usr/share
 /usr/share/doc
 /usr/share/doc/abyle-firewall
 /usr/share/doc/abyle-firewall/copyright
 /usr/share/doc/abyle-firewall/changelog.gz
 /usr/sbin
 /usr/sbin/abyle-firewall
 /usr/lib
 /usr/lib/python2.7
 /usr/lib/python2.7/dist-packages
 /usr/lib/python2.7/dist-packages/abyle-firewall.pth
 /usr/lib/python2.7/dist-packages/abyle-firewall
 /usr/lib/python2.7/dist-packages/abyle-firewall/abyle_xmlparser.py
 /usr/lib/python2.7/dist-packages/abyle-firewall/abyle_config_xmlwriter.py
 /usr/lib/python2.7/dist-packages/abyle-firewall/abyle_log.py
 /usr/lib/python2.7/dist-packages/abyle-firewall/abyle_firewall.py
 /usr/lib/python2.7/dist-packages/abyle-firewall/abyle_execute.py
 /usr/lib/python2.7/dist-packages/abyle-firewall/abyle_config_xmlparser.py
 /usr/lib/python2.7/dist-packages/abyle-firewall/abyle_output.py
 /usr/lib/python2.7/dist-packages/abyle-firewall/abyle_changelog_xmlparser.py
 /usr/lib/python2.7/dist-packages/abyle-firewall/reindent.py
 /etc
 /etc/init.d
 /etc/init.d/abyle-firewall
 /etc/abyle-firewall
 /etc/abyle-firewall/template
 /etc/abyle-firewall/template/interface
 /etc/abyle-firewall/template/interface/config.xml
 /etc/abyle-firewall/template/interface/rules.xml
 /etc/abyle-firewall/config.xml
 /etc/abyle-firewall/iptables_flags.xml
 /etc/abyle-firewall/rules.xml
 

The first test after the installation is to run abyle-firewall and take a look on it's output:

# abyle-firewall -i

So as you can see, all tables are empty (of course the tables will not be empty if you already have inserted rules by hand or with other scripts), the output should be colorful if your terminal is supporting color codes.

Now we take a look at the config directory, as mentioned above /etc/abyle-firewall

 # ls -l /etc/abyle-firewall
 -rw-r--r-- 1 root root 5721 Apr 30 00:33 config.xml          # global configuration file
 -rwxr-xr-x 1 root root 3718 Mar  2 10:13 iptables_flags.xml  # abyle-firewall to iptables translation
 -rwxr-xr-x 1 root root  970 Mar  2 10:07 rules.xml           # global rules
 drwxr-xr-x 4 root root 4096 Apr 30 00:33 template            # template directory
 

First let us adjust some defaults in the global configuration (/etc/abyle-firewall/config.xml)

there is a bug in the current package, so please adjust the following setting:

replace:

 <createporttriggerchain>no</createporttriggerchain>

with:

 <createporttriggerchain>none</createporttriggerchain>
 

also take a look at the <protect> </protect> section, the interfaces (<interface>) within this section will be handled by abyle-firewall, keep in mind that traffic to any unlisted interface will be blocked if you start the abyle-firewall script.

if you have decided to turn off routing (ipv4forward), this config is the right place, just adjust:

 <ipv4forward>yes</ipv4forward>
 

to

 <ipv4forward>no</ipv4forward>
 

The next step is to create a config-directory for each interface you could do this by hand and copy the “template” directory to a directory named like the interface name (in a subdirectory called interfaces), or you could use the -t arg and let abyle-firewall do this for you:

 # abyle-firewall -t
 root           :: copy template config for all existing interfaces! existing configs will be moved to   /etc/abyle-firewall/.old
 root           :: copy default config
 

the result should look like:

 # tree /etc/abyle-firewall/
 /etc/abyle-firewall/
 ├── config.xml
 ├── interfaces
 │   ├── eth0
 │   │   ├── config.xml
 │   │   └── rules.xml
 │   └── lo
 │       ├── config.xml
 │       └── rules.xml
 ├── iptables_flags.xml
 ├── rules.xml
 └── template
     └── interface
         ├── config.xml
         └── rules.xml
 
 5 directories, 9 files

So now we have a default global config, a default interface config for each interface, let's try to start abyle-firewall and take a look at the tables again:

The tables are now filled by some basic default rules, the default configuration for a new configured/protected interface is to allow all (just because you don't want to lock yourself out).

so, lets say eth0 is our public interface, we want to secure this interface, cd to it's configuration directory

 cd /etc/abyle-firewall/interfaces/eth0

for each interface there are 2 config files, the config.xml and the rules.xml, let's take a look at the config:

 # more config.xml
 <root>
         <antispoofing>yes</antispoofing>
         <logging>no</logging>
         <allowping>yes</allowping>
         <masquerading>no</masquerading>
         <portforwarding>no</portforwarding>
         <transparent_proxy>no</transparent_proxy>
         <proxyarp>no</proxyarp>
         <sourcerouting>no</sourcerouting>
         <icmpredirects>no</icmpredirects>
         <secureicmpredirects>no</secureicmpredirects>
         <martianslogging>no</martianslogging>
         <drop0slash8packets>no</drop0slash8packets>
 </root>

to handle an outside interface I would suggest to adjust the config to:

 <allowping>no</allowping>
 <masquerading>no</masquerading>
 <drop0slash8packets>yes</drop0slash8packets>
 

next, rules.xml:

 <interface>
 
   <rules>
     <!-- allow all by default -->
     <traffic chain="block" job="ACCEPT" state="NEW"></traffic>
   </rules>
 
   <portforwarding>
     <!-- example rule for portforwarding, forward incoming traffic on this interace on port 2222 TCP to    192.168.0.245 port 22 tcp -->
     <traffic chain="PREROUTING" job="DNAT" table="nat" forward-port="2222" destination="192.168.0.245"    destination-port="22" protocol="tcp"/>
   </portforwarding>
 
   <transparentproxy>
     <!-- example rule for HTTP transparent proxy / enable/disable in config.xml -->
     <traffic chain="PREROUTING" job="REDIRECT" table="nat" forward-port="80" destination="0/0" destination-port="3128" protocol="tcp"></traffic>
   </transparentproxy>
 
   <logging>
   </logging>
 
   <masquerading>
     <!-- example rule for masquerading / enable/disable in config.xml -->
     <traffic chain="POSTROUTING" job="MASQUERADE" table="nat"/>
   </masquerading>
 
 </interface>

let's concentrate on the rules section (<rules></rules>) as you can see the default rule which allows any traffic to pass is active, delete this line, and replace it with one which only allows ssh traffic to get through:

 <traffic chain="INPUT" job="ACCEPT" state="NEW" source="0/0" protocol="tcp" destination="0/0" destination-port="22"/>
 
 

save the files and just run “abyle-firewall -s” again, the table should now look like:

Why?

If you've read the above, you maybe ask yourself, why should I use this intricately piece of software with it's atypical xml-configuration files, well I have some answers why I am still using it:

  • scalability

If you have two interfaces, one inside and one outside, and just want to block everything from the outside, do a masquerade and that's it, then a bunch of iptables lines in a bash script would probably be the better choice, but if you have 10 tun interfaces for vpn, multiple outside interfaces, e.g. for multiple internet-providers, multiple inside interfaces e.g. in different vlans, like I have, the management of the security in a simple bash-script could be tricky, that was one of the main reasons why abyle-firewall was developed, to concentrate on each interface and keep the possibility to clone a configuration from one interface to an other. Another feature is that you could easily copy your interface configuration from one host to another without changes, so if you have 50 servers in your farm which need the same iptables configuration for eth0 just rsync them, server specific interfaces can still be configured independent.

  • table management

You just dont need to care about the creation of tables, the flushing of tables and the right order of iptables commands, abyle-firewall -b will always blow away every iptables configuration, and abyle-firewall -s will protect you if you have you configured everything correctly.

  • easy portforwarding / transparent proxy / masquerading

Besides the explained <rules> section in the interface rules.xml there also exists a <portforwarding>, <transparentproxy> and <masquerading> section, so if you want to enable one of this features you just have to enable it in the config.xml and the defined portforwarding, transparentproxy and masquerading rules in your rules.xml will be applied after the next restart.

  • nice output

you don't have to fire several iptables -L commands to get an overview, just execute abyle-firewall -i

  • iptables command logging

everything will be logged to /var/log/abyle.log e.g:

 ...
 Thu, 01 May 2014 11:43:50 firewall          INFO     ipv4 send TCP-RST on full buffer is deactivated
 Thu, 01 May 2014 11:43:50 firewall          INFO     ipv4 reply to ICMP Broadcasts is deactivated
 Thu, 01 May 2014 11:43:50 firewall          INFO     ipv4 dynamic address hack deactivated
 Thu, 01 May 2014 11:43:50 firewall          INFO     ipv4 forwarding activated
 Thu, 01 May 2014 11:43:50 firewall          INFO     syncookie activated
 Thu, 01 May 2014 11:43:50 firewall          INFO     default-rule:  -N block
 Thu, 01 May 2014 11:43:50 firewall          INFO     default-rule: -A block -j ACCEPT -m state --state    ESTABLISHED,RELATED
 Thu, 01 May 2014 11:43:50 firewall-rule     INFO     sit0 -i sit0 -A INPUT -j ACCEPT
 Thu, 01 May 2014 11:43:50 firewall-rule     INFO     lo -i lo -A INPUT -j ACCEPT
 Thu, 01 May 2014 11:43:50 firewall-rule     INFO     lo -i lo -A INPUT -j ACCEPT
 Thu, 01 May 2014 11:43:50 abyle-firewall    INFO     /etc/abyle-firewall/interfaces/eth0/config.xml is a    well-formed xml
 Thu, 01 May 2014 11:43:50 abyle-firewall    INFO     proxy arp deactivated for eth0
 Thu, 01 May 2014 11:43:50 abyle-firewall    INFO     allow source routing deactivated for eth0
 Thu, 01 May 2014 11:43:50 abyle-firewall    INFO     icmp redirects deactivated for eth0
 ...
 
* secure icmp ping

if you enable your interface to be pingable, it doesn't allow every icmp type, just the ones needed to be pingable.

  • xml

changing the configuration within xml files by hand is not quite fun, but parsing them with python is really a pain in the ass, maybe the decision to use xml was the biggest mistake but the decision was made because there was/is an web-interface written in php, so we wanted to be language independent, somehow the xml-hype years ago made us believe that this could only be done by using xml, well as mentioned maybe the biggest mistake. :)

  • there will be world peace and a rewrite

yes we have a complete rewrite on our minds all the time, but the lack of muse and need embarrasses us from doing it. if we do it, there will be no xml, we will support ipv6 and logging of traffic will work in a more logic way.

Extensions

Since the initial release (2005) some special setups required some basic plugin/extension hacks, right now they are implemented as standalone scrips or binaries.

For example if you want to execute some special rules which couldn't be done by abyle-firewall like marking with MARK, it's tricky to get these rules in, inserting them with iptables -I would but them above all rules, inserting them with iptables -A would append them on the bottom, anyhow mostly this is not what you want, so the extensions of abyle-firewall are doing nothing more or less than executing them at the right time to get them ordered. A second example is the restart or start of a service upon restart of the firewall, for example if you have a dialup connection with a dynamic ip-address you maybe want to restart your firewall after a reconnect and after the restart of the firewall you want to restart a service like openvpn or danted.

List of Extensions (configured in global config.xml):

  • Port Trigger Chain
 <createporttriggerchain>yes</createporttriggerchain>

Abyle-firewall will create s special chain named TRIGGERFORWARD which allows you to configure portforwarding from outside to inside based on configured inside to outside connection (something like upnp port-forwarding)

  • Dual ISP Setup
 <dualisp>yes</dualisp>
 <dualispsetupscript>/usr/local/sbin/dualispsetup.sh</dualispsetupscript>  
 

Setup configuration and rules to use a dual isp configuration.

  • Socks Server
 <socks>yes</socks>
 <socksscript>/usr/local/sbin/dante.sh</socksscript>
 

Stop/start reconfigure danted (socks5 proxy) on startup of abyle-firewall.

  • Shaping (tc)
<shaping>yes</shaping>
<shapingscript>/usr/local/sbin/shaping.sh</shapingscript>

Configure Linux Traffic Shaping on startup oof abyle-firewall.

abyle-firewall/start.txt · Last modified: 2014/05/01 15:12 by scuq