Freerunner advanced firewall

In this article I offer a more advanced firewall solution for the Neo Freerunner than in the article “Freerunner simple firewall“. The firewall rules are essentially the same, but the management is more flexible, accommodating the need to alter rules on the fly and make those alterations survive reboot.In “Freerunner simple firewall” I presented a simple firewall script that lives in /etc/init.d/iptables, which builds the firewall one rule at a time with a series of iptables invocations within the script. Here we examine a more advanced approach that is more flexible, and better suited to an advanced networking user who will from time to time have the need to alter their firewall, permitting new inbound traffic into the Freerunner, like remote connections inbound to monitoring daemons, DB interfaces, etc.  it also runs more quickly, although I grant that for a ruleset this small the difference is minor.

This script, like the simpler approach, requires the ‘iptables’ program to be installed, but also requires the iptables-save and iptables-restore commands.(Those two commands serve a simple and direct purpose – they save and restore the current active firewall rules. Imagine. They do so in a very simple, straightforward fashion – iptables-save sends the entire current ruleset (all rule chains in filter, nat, raw, and mangle tables) to stdout in a plaintext form that is easy to read and alter, and is understood by iptables-restore, which expects such rules to be fed to it on stdin when it is invoked.

Note that if you install my package, http://newkirk.us/om/iptables_1.4.2-rc1_armv4t.ipk, the single ‘iptables’ binary is symlinked as iptables-save and iptables-restore – it senses what name was used to call it and behaves accordingly.  That package also installs the script and ruleset below, so this article becomes simply an explanation of what that package does.  If you choose to install from the Angstrom feed, you’ll need both the iptables-1.3.8-r4 and the iptables-utils packages, since the latter provides the iptables-restore and iptables-save commands compiled as separate binaries.

So this script uses iptables-save and iptables-restore, and stores the rules in their native format in /etc/default/iptables. At need you can edit that file directly, or you can alter the live active firewall directly with the iptables command, and save the rules when finished with ‘/etc/init.d/iptables save’. (but if you edit the saved ruleset directly, you’ll need to call ‘/etc/init.d/iptables restart’ to enable the rules, and calling ‘save’ before reboot or restart will overwrite your changes with the current active firewall rules!)

Just as in the ‘Freerunner simple firewall’ script, cut and paste the script below into /etc/init.d/iptables and invoke “update-rc.d iptables defaults 42″ to set it to autorun right after networking is activated:

#!/bin/sh
#
# iptables	This shell script starts and stops an iptables firewall.
#
# chkconfig: 345 90 42
# description: Starts and controls an iptables firewall
# processname: iptables

ipt="/usr/sbin/iptables"
inp="/usr/sbin/iptables -A INPUT"

[ ! -x $ipt ] && exit 0
if test ! -f $ipt
then
    echo "iptables does not appear to be installed, no firewall possible. (check path if installed and correct /etc/init.d/iptables 'ipt=' and 'inp=' lines)"
    exit 1
fi

start() {
    echo -n "Starting iptables firewall: "
    cat /etc/default/iptables | $ipt-restore
#    echo "1" >/proc/sys/net/ipv4/ip_forward
    echo "Firewall configured"
}

stop() {
    echo -n "Stopping iptables firewall (wide-open): "
    $ipt -P INPUT ACCEPT
    $ipt -P FORWARD ACCEPT
    $ipt -F
    $ipt -t nat -F
    echo "Firewall removed, no filtering in place."
}

lock() {
    echo -n "Firewall locking down: "
    $ipt -P INPUT DROP
    $ipt -P FORWARD DROP
    $ipt -P OUTPUT ACCEPT
    $ipt -F
    $inp -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    echo " nothing NEW allowed in."
}

save() {
    echo -n "Saving firewall rules: "
    $ipt-save >/etc/default/iptables
    echo "saved to /etc/default/iptables"
}
# See how we were called.
case "$1" in
  start|load)
	start
	;;
  stop)
	stop
	;;
  save)
	save
	;;
  lock)
	lock
	;;
  restart|reload)
	stop
	start
	;;
  *)
	echo "Usage: $0 {start|stop|lock}"
	exit 1
esac

exit 0

Then cut and paste the following saved ruleset to /etc/default/iptables:

# Generated by iptables-save v1.4.2-rc1 on Sat Aug 23 05:46:29 2008
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Sat Aug 23 05:46:29 2008

NOTE: as with the simple firewall script, this one assumes the iptables and related binaries live in /usr/sbin, the default install location for the Angstrom and my own ipks.  If you’ve forced a different install path, you’ll need to edit the ‘ipt=’ and ‘inp=’ lines near the beginning of the script to match your path.  Also note the commented-out line enabling forwarding (/proc/sys/net/ipv4/ip_forward) – you’ll need to uncomment that if you want to route packets through your freerunner, else the firewall will permit and NAT such traffic but the kernel routing will NOT.

That’s it.  When rebooted (or invoked manually with ‘/etc/init.d/iptables start’, which is done for you when install is completed with my iptables ipk) it will install the saved rules as the active firewall.  You can alter the active rules on the fly with the iptables command, and make those changes permanent with ‘/etc/init.d/iptables save’.  As with the simple firewall script, it offers ‘stop’ which remove all firewall rules and ‘lock’ which locks down the firewall.  I recommend reading the comments about the rules themselves in the ‘Freerunner simple firewall’ article to get a better understanding of what these rules do and don’t accomplish.  Also note that the commented-out rules in the Simple script are not represented here – if you want one of those features enabled, you can simple cut and paste the single lines from the Simple script and execute them directly on the Freerunner, followed by ‘/etc/init.d/iptables save’ to make the additions permanent.

j

2 thoughts on “Freerunner advanced firewall

  1. Pingback: חופש הדיבור » ארכיון » ועל אף ..

  2. www.detektivderdetektei.de (1 comments)

    Hey! I m glad to your post “ner advanced firewall | jThinks” so well that I like to ask you whether I should translate into German and linking back. Please answer. Greetings Detektiv

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>