Documentation

1. Introducion

2. Policy

2.1. Input

2.2. Output

2.3. Forwarding

3. Required

3.1 Kernel configuration

3.2 Dialog

4. Install

4.1. Redhat

4.2. Debian

4.3. All distributions

5. Upgrade

6. Configure

6.1. The interactive mode

6.2. The manual mode

6.3. Minimal configuration

6.4. TCP/UDP Ports for Internet

6.5. TCP/UDP Ports for LAN

6.6. Firewall inside a LAN

6.7. Satellite configuration

7. Start the firewall

8. Automatic startup

9. Features

9.1 Denying Host or MAC

9.2 Spywares & Peerprotect

9.3 Custom rules

9.4 Ulog

Here you will find all necessary informations about Jay's Iptables Firewall, how is it working, how to install it and to play with it.
The next section (2. Policy) explains how the firewall is working but you will probably want to skip this section. If you only want to install and configure it, jump directly to 3. Required.
Enjoy it.

This section will explain you how is the firewall working and has been made. Skip this section if you want to install the firewall.

There is 3 parts in the firewall, the input side, the output side and the forwarding side.

This is the filter for all incoming connections intented to the box itself (from internet and LAN).
See iptables -L INPUT -v

Internet connections


The defaults tests for the internet connections are : Spoofing, ICMP, TCP flags, TCP/UDP ports and state's connections (established, related, new or invalid).
See iptables -L JAY_INETIN -v

LAN connections


The default tests for the LAN connections are only the ip source, all connections are allowed from the LAN (but can be restricted since version 1.0).
See iptables -L JAY_LANIN -v

This is the filter for all outgoing connections generated by the box itself (to internet and LAN).
By default, all outgoing traffic is allowed.
See iptables -L OUTPUT -v

Internet connections


Only a check of the ip spywares can be setting up here (not enabled by default)
See iptables -L JAY_INETOUT
And iptables -L JAY_DENY_IP_OUT -n for the spywares list (must be enabled)

LAN connections


Only the destination's ip is checked (ip must be on your LAN subnets).
See iptables -L JAY_LANOUT -v

Conclusion


As you can see, the output checks are not very restrictive. With this way, you should not specify which programs will need Internet. But if you want to specify which port must be open for the output, you can use the custom rules feature.

Forwarding means, for example, take a traffic from the LAN and send it to internet (as Masquerading). On the other way, take the replyed traffic from internet and send it back to the LAN.
Your linux box can also be a 'node' between two or more LANs (example: 192.168.5.0/24 and 10.0.0.0/8).


By default, internet cannot send traffic directly to your LAN, it can only be a reply of a LAN request.
If you want to specify a tcp or udp port which must be redirected to a host of your LAN, add a forwarding rule in the firewall config. With this way, you can directly access (from internet) to a single host of your LAN, on a specified port (example for icq files transfert, p2p softwares ...). See the FAQ.

As you can see, there is 3 parts in the forwarding.

1. LAN -> Internet


Remember that all outgoing traffics are allowed, and it's the same policy for the forwarding section.
There is a TCP flags check, a Smurf check (see Denial Distributed Of Service attack) and a spywares ip check (not enabled by default).
See iptables -L JAY_FWD_LAN_INET -v

2. Internet -> LAN


Nothing by default.
The ip_conntrack takes care to remember the outgoing connections of the LAN (tell him 'state' of connections) and allow the connections to come back.
In iptables words, this means that the RELATED and ESTABLISHED connections are accepted.
When a traffic come back to a host of your LAN, these tests are done : a TCP flags check, a ICMP check and a Spoofing check.
See iptables -L JAY_FWD_INET_LAN -v

For an explicit forwarding (tcp/udp) port, a rule is added to allowing the NEW connection (state of the connections), and another for the translation adress.
See iptables -L FORWARD -v
and iptables -t nat -L PREROUTING -v


3. LAN -> LAN


Nothing by default.
See iptables -L JAY_FWD_LAN_LAN -v (if you have more than one LAN)

A Linux box with

• A kernel >= 2.4 (http://www.kernel.org)
• The latest iptables (version <= 1.2.6a)
• Perl
• Dialog >= 0.9a-20020309a (if you want an interactive configuration, see screenshots)

Your kernel needs the netfilter modules. Here is an example of a 2.4.20 kernel configuration.

Code maturity level options  --->
     [*] Prompt for development and/or incomplete code/drivers

Networking options --->
     [*] Network packets filtering (replace ipchains)

Networking options ---> 
     IP: Netfilter Configuration --->
          <M> Connection tracking (required for masq/NAT)
          <M>   FTP protocol support                    
          <M>   IRC protocol support                   
          <M> IP tables support (required for filtering/masq/NAT)
          <M>   limit match support                             
          <M>   MAC address match support                      
          <M>   Packet type match support                    
          <M>   netfilter MARK match support                
          <M>   Multiple port match support                
          <M>   TOS match support                         
          <M>   LENGTH match support                     
          <M>   TTL match support                      
          <M>   tcpmss match support                  
          <M>   Connection state match support      
          <M>   Connection tracking match support  
          <M>   Unclean match support (EXPERIMENTAL)      
          <M>   Packet filtering                        
          <M>     REJECT target support                
          <M>   Full NAT                              
          <M>     MASQUERADE target support          
          <M>     REDIRECT target support           
          <M>   Packet mangling                    
          <M>     TOS target support              
          <M>     MARK target support          
          <M>   LOG target support           
          <M>   TCPMSS target support   

Dialog is a utility to create nice user interfaces to shell scripts, or other scripting languages, such as perl. It is non-graphical (it uses curses) so it can be run in the console or an xterm.

Dialog version 0.9a-20020309a is needed for 'firewall-config.pl' if you want to use the interactive configuration mode. See section 6. Configuration

Get the latest version in the download section and choose the file of your preferred distribution.

# dpkg -i firewall-jay-x.y.z.deb

or

Add deb http://firewall-jay.sourceforge.net/debian/ ./
in /etc/apt/sources.list and run

# apt-get update
# apt-get install firewall-jay

# rpm -Uvh firewall-jay-x.y.z.rpm

# tar xzf firewall-jay-x.y.z.tar.gz

# cd firewall-jay-x.y.z

# make install

This will copy the files as showed in files section.

First you need to install the firewall as it is explained above.
This will overwrite your current release.

The next step is to have an up to date configuration's file.
/etc/firewall-jay/firewall.config

Upgrade config from version < 0.9.1a

Sorry but you can't automaticaly update your current configuration's file to the latest version. You need to create a new one.
This will create a new configuration file with the interactive Perl script (dialog mode)

# firewall-config.pl --new

If you prefere a manual configuration, this will generate a empty configuration file that you must edit and configure.

# firewall-config.pl --generate

Upgrade config from version >= 0.9.1a

Simply run

# firewall-config.pl --update

This will add new variable names and options in your file.

Restart the firewall with

/etc/init.d/fw-jay restart

There is two mode of configuration. The Interactive mode and the Manual mode.
Both create a comented configuration's file. You may be able to start with the interactive mode and continue with the manual mode, or the reverse. You can at every moment pass from the one to the other.

Run

# firewall-config.pl --new

This will launch an interactive configuration's menu and help you to create a new configuration's file.
The [-n|--new] parameter is only for create a non-existing configuration's file, for reconfigure the firewall later, only run

# firewall-config.pl

You can create a testing configuration's file in an other location while adding
[-c|--config <filename>] parameter.

For more details see

# firewall-config.pl --help

Run

# firewall-config.pl --generate

This will create a empty configuration's file which you must edit and configure.
Here again, you can create a testing configuration's file in an other location while adding [-c|--config <filename>] parameter.

The firewall need some required information before it can start. Please verify these few points.


• The external interface(s) or Internet interface(s)
  This is the bad side of the firewall, it can be a LAN if you are using this firewall inside a LAN (in this case you need to disable the spoofing control).


• Your DNS ips
  Probably given by your ISP, see /etc/resolv.conf (or the config of your DNS server if you are using one on the linux box)


• If you are running a DHCP server for your LAN
  Don't forget to enable the "DHCP Server" option in Configuration => LAN for the interactive mode, or set the variable "USE_DHCP_SERVER" to "1 in the configuration's file.
  This mean that your linux box can accept the dhcp requests from your LAN. This is a special access because the host may have a ip like 0.0.0.0 (only the ips of your subnets are allowed to connect from your LANs).

You probably want to open some TCP/UDP ports for Internet.
This firewall support multiple internet and/or LAN interfaces, so you need to specify on which interface you want to open the tcp/udp ports.

Here is a example if you want to configure the firewall by hand.

Syntax:

TCP_EXT_IN="<iface1>;<port1>,<port2>,<port3>,... <iface2>;<port1>,<port2>"

Example:

TCP_EXT_IN="ppp0;22,80 ppp1;25,110"

By default, this firewall allow all connections from the LAN, the basic configuration is :

TCP_INT_IN="*"
UDP_INT_IN="*"

and mean that all ports are opened for the LAN.
As the internet side, you may restricted it with the same syntax. Example :

TCP_INT_IN="eth0;22,80 eth1;25,110"

You can install this firewall inside a LAN, example on a single-host or a sub-LAN (here the external interface is a LAN interface), but you need to disable the spoofing control.

The spoofing control deny the internet hosts claiming to come from a LAN (with a private source ip like 10.0.0.0/8, 192.168.0.0/24, ...), but inside a LAN ... you need to use these ips.

To disable the spoofing control with the firewall-config.pl utility, go on Configuration => Internet or open the configuration's file and set the variable "SPOOFING_CONTROL" to 1 in the configuration's file.

bla

Warning: The firewall needs the ips of your network's cards and/or your internet connection.
The firewall needs to be started after the network and other script's connections, if it can't found at least one connected external interface (like internet), it will not want to start.

Play with

# /etc/init.d/fw-jay {start|stop}
# /etc/init.d/fw-jay {up|down}
# /etc/init.d/fw-jay {restart}
# /etc/init.d/fw-jay {check}
# /etc/init.d/fw-jay {reload-block-ip|reload-block-mac}

The up|down options are for compatibility and have the same effects as start|stop.
The check option is for testing the config's file.
The reload-block-{ip|mac} options are for reloading the block ip/mac denying files when the firewall is up.

The firewall needs the ips of your network's cards and/or your internet connection.
The firewall needs to be started after the network and other script's connections, if not, it will not want to start.

If you are using a PPP connection (ex: ISDN, DSL, ...)

Create a script in /etc/ppp/ip-up.d/ (or similar)

# vi /etc/ppp/ip-up.d/0firewall

Here I put a 0 before firewall because I want start the script at the first place (before other scripts placed in the directory).

Add these 3 lines

#!/bin/sh
/etc/init.d/fw-jay restart
exit 0

The firewall will be restarted at every connections or re-connections of your pppX interfaces.


If you are using a ethX connection (ex: cable, LAN, ...)

Create a script in /etc/sysconfig/network-scripts/ (/etc/network/if-up.d/ for debian)

# vi /etc/sysconfig/network-scripts/0firewall

Where ethX is your internet connection. Here I put a 0 before firewall because I want start the script at the first place (before other scripts placed in the directory).

Add these 3 lines

#!/bin/sh
/etc/init.d/fw-jay restart
exit 0

The firewall will be restarted at every connections or re-connections of your ethX interfaces.

To deny some hosts from your domain, use the 'block-*' files.

Go on /var/lib/firewall-jay/


edit block-ip-in.user to deny all access from IPs address
edit block-ip-out.user to deny all access to IPs address
edit block-mac-in.user to deny all access from MACs address


Here is the syntax for IPs:

[!]<ip or subnet>:<description>

· Subnet can be "host.domain.xxx", "1.1.1.1", "1.1.1.0/24" or "1.1.1.0/255.255.255.0" or a range like "1.2.3.50-1.2.3.100" but you need to install the iprange module.
· Description : must be less than 24 characters and no spaces allowed


Example:

!10.0.0.1:good-guy
!10.0.0.5:good-guy
10.0.0.0/8:bad-guys

In this example, all subnet '10.0.0.0/8' is denied except 10.0.0.1 and 10.0.0.5


Here is the syntax for MACs:

<mac address>-<description>

· MAC address must be like XX:XX:XX:XX:XX:XX
· Description : must be less than 24 characters and no spaces allowed


Next you must configure the firewall for enable the blocking feature

In the config's file

DENY_DIR="/var/lib/firewall-jay"

DENY_IP_IN="1"
DENY_IP_IN_FILES="block-ip-in.user"
DENY_IP_IN_LOG="1"

DENY_IP_OUT="1"
DENY_IP_OUT_FILES="block-ip-out.user"
DENY_IP_OUT_LOG="1"

DENY_MAC_IN="1"
DENY_MAC_IN_FILES="block-mac-in.user"
DENY_MAC_IN_LOG="1"

Where DENY_DIR is the directory where are located the files. DENY_IP_IN, DENY_IP_OUT and DENY_MAC_IN take "1" (enabled) or "0" (disabled) values.

Restart the firewall.

Or with firewall-config.pl


# firewall-config.pl

Go on Features (optional) => Denying Hosts


=> Denying IPs source for example



Save the new config and restart the firewall.

You can reload the block-{ip|mac} files without restarting the firewall with

# /etc/init.d/fw-jay reload-block-ip

or

# /etc/init.d/fw-jay reload-block-mac

Since version 0.8, this firewall provide a big black list of ip/subnets. These ips are used by spywares compagny and should be blocked for protect your LAN from spywares activity.
This list is written and maintained by Sponge http://www.geocities.com/yosponge/ but is formated by a perl script for Jay's Iptables Firewall

An other black list of ip may be available and protect your peer2peer softwares from the RIAA and MPAA, etc.
This addon has been writted by Fabrice Poulet and can be found here : http://www.atout.be.

For enable the spywares protection :

1 : You must create the spywares list file.

run :

# firewall-spy-update.pl

WARNING: .
This list is a big list ! and you can find some MSN and/or Microsoft ips that you don't must to deny if you want to use Msn or wathever.
If you have problem, edit /usr/sbin/firewall-spy-update.pl and play with the @SPY_TO_IGNORES and/or @IP_TO_IGNORES variable.

Example (by default)

@SPY_TO_IGNORES = ('microsoft','msn');

If some of your soft doesn't work with this black list, enable the Spywares Logs options and see /var/log/messages for see what's happend.

For more details, see

# firewall-spy-update.pl --help | -h

2 : A file has been created

/var/lib/firewall-jay/block-ip-out.spywares

3 : Enable the option
With firewall-config.pl

# firewall-config.pl

Go on Features (optional) => Denying Hosts => Denying IPS dst
set to Enable , select the new created file (or more than one), and optionaly Log

By hand Edit /etc/firewall-jay/firewall.config

DENY_IP_OUT="1"
DENY_IP_OUT_FILES="block-ip-out.spywares"

4 : That's all ...


5 : For updating the file

# firewall-spy-update.pl

and reload the block-ip feature of the firewall, run :

# /etc/ini.t/fw-jay reload-block-ip

6 : For automatics updates
Set a crontab on every (for example) Sunday like :

0 0 * * Sun /usr/sbin/firewall-spy-update.pl
0 5 * * Sun /etc/init.d/fw-jay reload-block-ip

If you need to, you are able to load your own iptables rules. These rules will be loaded at the end of the firewall.
Keep in mind that these rules can corrupt the firewall security, please be careful of what you insert here.

Add your own iptables rules in /var/lib/firewall-jay/firewall-custom.rules (default)


Next you must enable the option in the firewall's configuration.

In the config's file

CUSTOM_RULES="1"
CUSTOM_RULES_FILE="/var/lib/firewall-jay/firewall-custom.rules" (default)

Or with firewall-config.pl


# firewall-config.pl

Go on Features (optional) => Custom Rules
Next, answer the two questions


1. Enable = Yes
2. Path to custom rules = /var/lib/firewall-jay/firewall-custom.rules (default)

Sometime you don't want to write all your dropped packets to your syslog files (/var/log/messages , /var/log/syslog, ...).
With the Ulog module, you can easily do it.
You only need to compile the Ulog module in your kernel and install ulogd.

Ulog is available for all dropped packets (see in log options section of your config) AND/OR all denied hosts requests (ex: Spywares, Peerprotect, ...).
This mean that there is two independant configuration for Ulog, you only must give the NLGROUP variable of your /etc/ulogd.conf.