Kernel iptables support.

Share your own howto's etc. Not for support questions!

Kernel iptables support.

Postby ethyrdude » 2006-07-28 00:39

Several days ago, it became apparent that there is a security situation with the 2.6.17 kernel and iptable support, Lavene first noted this situation and then noticed that this situation also exists in the precompiled Debian kernel as well ( see: viewtopic.php?t=7671&highlight= ). The problem is that iptables (needed for firewalls) are not supported by default in the kernel.

I have only been using Debian since March, 2006 but as I have had previous experience (limited) with other distros, I decided to investigate by setting up a simple firewall for my workstation. I am behind a router but most people feel that it's still a good idea to have a software firewall in place, even if it's just to protect passwords for emails and admin. After all, it would really suck to have somebody change your root password without your knowledge.

I put together this little how to, with the newbie like me in mind, so that nobody else goes through I what I have during the past three days. It doesn't take much googling on the internet to discover that there are many good tutorials on setting up iptables and running various firewall programs that use iptables but not too much help is offered if you have a problem and that is what this guide is aimed at.

No matter what firewall progam you decide on, it will probably need iptable support from the kernel. There are lots of ways to test if you have this support, the command #iptables --list will show you if you have it, you should at least get :

Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Or try this command to see what support you do have:
cat /boot/config-2.6.17.x | grep -i "CONFIG_IP_NF" (replace the x with your version or leave it out for 2.6.17 )

If you don't, first make sure you have iptables installed with apt-get or whatever your favorite installer is. If it's installed, you can then install guarddog because even without iptable support, you can use it to test for it.

Start Guarddog, it should be in the menu after installing under system or you can use the command line: sudo guarddog. BTW, this is a kde program, it will probably run under gnome, if not, Gnome-lokkit would be your firewall of choice although I haven't tried it.

Once guarddog starts (sorry, no pics), click on the Protocol tab and click on the + next to Network to open up the network options and in the box beside DNS - Domain Name Server, put a checkmark by clicking on the box. As this is the first step you need to do anyways to activate your firewall, you might as well try this to see if you have iptable support.

Now click on the "Apply" button and you'll get a warning pop up, click continue unless you're in the middle of a download or something similar. Once you click continue, a window should open up informing you about the progress of what you just applied. If you get no errors, then you are good to go. If you get an error,we'll deal with that below on IF YOU GET AN ERROR.

You'll need to follow the tutorial on:
http://www.simonzone.com/software/guarddog/manual2/index.html
so you'll have to shut down your firewall - only temporarily and follow the tutorial in Chapter 2. This will give you a basic firewall for your workstation. If you need a different firewall, there are tutorials for that as well. To turn off your firewall click on the advanced tab and put an x in the box that states disable firewall and "Apply". Once you get to the tutorial, clear this box and press apply again or you won't be able to configure your firewall. Have fun and good luck.

IF YOU GET AN ERROR

The one error that we are concerned with, is the dreaded

iptables: no chain/target/match by that name error
This means you will have to recompile your kernel for iptable support. You can do this by following the excellent How to by Lavene here:
http://forums.debian.net/viewtopic.php?t=4468

Once you start make xconfig or make menuconfig, go to:
(This is for the 2.6.17.x kernel)
Networking --->
Networking options --->
[*] Network packet filtering (replaces ipchains) --->
Core Netfilter Configuration --->
<*> Netfilter Xtables support (required for ip_tables)

There are a lot of options here, I ended up selecting everything that wasn't marked obsolete or experimental, it may have been overkill but compiling a kernel five times in three days isn't much fun either.

Once you have booted with your new kernel, you can try guard dog again and see if you have gotten rid of the errors.


BTW remember that if you do download a new kernel file, you'll probably have to uninstall and reinstall your nvidia driver with

sh NVIDIA-Linux-x86-1.0-8762-pkg1.run --uninstall and then, sh NVIDIA-Linux-x86-1.0-8762-pkg1.run --x-module-path=/usr/lib/xorg/modules/
(Thanks, Grifter)

I've had people point out lots of good resources for iptables so if you do want to learn more, you can read the whole guarddog manual:
http://www.simonzone.com/software/guarddog/manual2/index.html
and there is also more iptable info here:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
User avatar
ethyrdude
 
Posts: 221
Joined: 2006-03-18 01:30
Location: Georgina, Ontario, Canada

Postby bluesdog » 2006-07-28 03:21

I never had much luck with the NVIDIA packages from NVIDIA.

However, it is quite easy to build and install your NVIDIA module from source, should the NVIDIA package install fail.
User avatar
bluesdog
 
Posts: 2082
Joined: 2006-02-01 09:02
Location: Similkameen, British Columbia, Canada

Postby ethyrdude » 2006-07-28 15:26

I've never had any problems with the nVidia installer but no doubt, there will always be a first time.

I may re-edit this posting (On Debian User Forums) later as I learn more, but for now, I hope this will help somebody.
Last edited by ethyrdude on 2007-08-11 11:17, edited 1 time in total.
User avatar
ethyrdude
 
Posts: 221
Joined: 2006-03-18 01:30
Location: Georgina, Ontario, Canada

Postby ethyrdude » 2006-08-16 17:49

I just thought I would finish this post off with the actual firewall setup for those who want one. Please note: This is a very basic firewall, for a workstation and only protects the computer that it's on, this is not the config you want if your computer is to also run as a router. With this you can access the internet, use smb, and get your email.

The other computers on my network all have their own firewalls, except for my Win 98 box, which has nothing important on it, I don't use it for anything but running Windows programs. This computer is bait, if anyone gets past my router, this is the only computer they may see.

To set up iptables, I followed the tutorial at:
http://www.howtoforge.com/linux_iptables_sarge
Yes, this is for sarge but works for etch too. I only set up iptables to allow internet surfing, email access, and local file sharing. Everything else is rejected.

Instead of using Guarddog, I set up shorewall, to control things a bit better, I still don't know as much as I like about iptables so perhaps I didn't need to follow the tutorial at the above address but if I did, then you probably should also.

For shorewall:
Note to Debian Users

If you install using the .deb, you will find that your /etc/shorewall directory is empty. This is intentional. The released configuration file skeletons may be found on your system in the directory /usr/share/doc/shorewall/default-config. Simply copy the files you need from that directory to /etc/shorewall and modify the copies.

Note that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf and /usr/share/doc/shorewall/default-config/modules to /etc/shorewall even if you do not modify those files.

There is a tutorial here:
http://www.cyberdogtech.com/firewalls/tutorial.php?page=fw
but for what I needed the set up was very simple and here's what I did.
to
/etc/shorewall/interfaces
I added the line (btw, use kedit or gedit instead of nano, unless you're in a text only interface)
loc eth0 detect

That's all you need if connected to a router, the router is net but as far as your computer is concerned, it is loc.

This line is added right above the very last line in the file and states:
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
This goes for all the following too.

to
etc/shorewall/masq
add:
eth0 192.168.0.0/24

to
etc/shorewall/policy
add:
loc all ACCEPT
fw all ACCEPT
net all DROP
all all REJECT

etc/shorewall/zones

loc all ACCEPT
fw all ACCEPT
net all DROP
all all REJECT


Once done, test in a console with:
# shorewall check

and if it validates:
#shorewall restart

If not, check your syntax. If you only have one network card, you only have eth0 so if something doesn't work, check it. Setting loc to eth1 as per the examples will not work.
User avatar
ethyrdude
 
Posts: 221
Joined: 2006-03-18 01:30
Location: Georgina, Ontario, Canada


Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable